The hotel industry is being increasingly targeted by acts of cybercrime. In November 2018, Marriott announced that the data of up to 500 million guests had been hacked over a four-year period. Just recently, researchers uncovered a massive data breach that could have serious implications for hotel chains around the globe.
Why are hotels being targeted? One reason is they store and process incredibly high volumes of guest information and credit card details. To safeguard this data, hotels need to invest in robust digital security that complies with the new General Data Protection Regulation (GDPR).
What is GDPR?
As of May 2018, the European Union’s General Data Protection Regulation came into force. This intervention is designed to provide EU citizens with increased online privacy and give them more control of their own data.
Hotels Around the World are Liable for GDPR
The GDPR does not just apply to hotels based in the EU. It affects any hotel around the world that handles or processes the personal data of EU residents, regardless of where the hotel is located.
The penalties for non-compliance are severe. In addition to operational setbacks and damage to a hotel’s reputation, the maximum fine per violation is either 4% of a company’s annual global revenue or 20 million Euros (whichever figure is greater).
What Else do Hotels Need to Know?
Under GDPR guidelines, hotels are almost always classed as the “Data Controller” because they “control” the data. This means as a hotelier, it’s your responsibility to ensure any third parties you work with are GDPR-compliant.
This point is key. Typically, hotels use technology from a vendor but don’t get involved in how that technology is used to collect data. But in the post-GDPR world, the hotel is responsible for checking the vendor that they use follows the latest regulations.
What Can Your Hotel Do to Protect Guest Data?
As already outlined, the GDPR places full responsibility on the hotel for a data breach. Not the vendor or technology supplier. And of course, when a data breach happens, it’s not the vendor’s name that makes the headlines. It’s the hotels.
This means that protecting guest data goes way beyond GDPR compliance. Your entire brand reputation is at stake. But more than that, protecting personal data is essential to earn your customers’ trust. In an age when fears over personal data leaks are greater than ever before, your guests need to be reassured that their privacy is your priority.
With that in mind, here are a few key recommendations to tighten up your hotel’s own digital security.
1. Data Risk Assessment
Hotels store and share digital information through numerous places, including central reservation systems, credit card companies, OTAs, third-party suppliers, and point-of-sale systems. To identify and address potential security issues before they’re exposed, carry out a comprehensive data security assessment. Either work with a specialist security assessor or build your own in-house team. Carry out an assessment on a regular basis to spot any new weaknesses that need addressing.
2. Physical Security
You can also help prevent a data breach by bolstering the physical security of your network equipment. Examples include installing access controls on room doors and cupboards where any network equipment is located. While data hacks often take place remotely, fraudsters will happily take the easy front door option if your physical network hardware isn’t secured.
3. Conduct Staff Training
Your staff play a vital role in your digital security efforts. As such, they have to be well-trained at handling data and understand what constitutes a personal data breach. Not only should they know how to spot and report suspicious emails or activity, your staff need to be aware how their own behaviour can unintentionally lead to a data leak.
For instance, if a senior hotel employee has access to their hotel email account on their Smartphone then their Smartphone, as a minimum, must have a screen lock to prevent anyone having access to the data. Sounds simple but you would be surprised how often even this simple security precaution is ignored.
4. Make Sure your Vendor is GDPR Compliant
All third-party suppliers you work with must adhere to the same rules outlined in the GDPR. This includes website booking engines, web design agencies, channel managers, and property management software. As a hotelier, any vendors that gather personal data from your guests are required to share a Data Processing Agreement (DPA) with you that confirms they are indeed GDPR compliant.
5. Conduct Regular Security Audits
The world of digital data fraud is constantly changing. So no matter how solid your security plan, it’s imperative to conduct a regular security audit to ensure there aren’t any obvious chinks in your armour. Make sure any network hardware you use is also vendor supported (i.e. not end-of-life-hardware, which can put your data infrastructure at considerable risk).
The hotel industry remains extremely vulnerable to data breaches, so every precaution needs to be taken to safeguard guest information. In order to reduce the risk and comply with GDPR, hotels need to implement a robust strategy that includes regular security audits, staff training, investment in the right technologies and ensuring their vendors are GDPR complaint. At the same time having robust digital security will help you reduce the odds of a highly disruptive data leak, instil confidence in your guests and help to protect your brand reputation.