CHECKLIST FOR HOTEL CHAIN IN INDIA FOR GDPR COMPLIANCE
Understanding GDPR:
The GDPR gives power back to the consumers by forcing companies to become transparent in how they are collecting, storing, and sharing their customers’ personal data information. The GDPR applies to any organization or business collecting data on EU citizens. The three main objectives of GDPR are; protection of natural persons when their data is processed, protection of their fundamental rights and freedoms with respect to data protection and freedom of movement of personal data for processing purpose.
1. Which Hotel Staff need to know about the GDPR?
Decision makers and key people in hotels should be aware that the law is changing to the GDPR. This would include at least the following roles if they exist: General Manager, Head of Marketing, and the Revenue Manager. Each of these roles deals with a significant amount customer and employee data.
2. What kind of Information Should a Hotel be cautious about?
All data about persons in the EU are covered under the GDPR. This includes both guests and employees. Hotels should document what personal data they hold, where it came from and with whom it is shared. Hotels may need to organize an information audit.
“Personal data” is any data about an identifiable person. A person can be identified by their name, phone number, email address, reservation number, IP address, or any information that allows them to be uniquely identified.
The GDPR grants extra protections for “sensitive data.” This includes personal data that reveals any of the following:
· trade union membership, which may be revealed by event attendance
· biometrics for the purpose of uniquely identifying someone, such as a fingerprint stored for opening doors
· health status, which may be disclosed in guest requests
· sex life or sexual orientation, which may also be disclosed in some guest requests.
The following are less likely to show up in hotel systems, but should still be understood to be sensitive in case they do show up:
genetic data
racial or ethnic origin
political opinions
religious or philosophical beliefs
All of the above types of sensitive data can only be handled with explicit consent. If this kind of data is collected incidentally, it should be removed immediately to avoid undertaking new obligations for the protection of that data.
3. How GDPR can affect the Software’s a Hotel can use?
All rules that hotels must follow also apply to the software they use. If a hotel uses a product to process its data, that product must adhere to all the same obligations that the hotelier has. Every single vendor who receives personal data from a hotel must share a Data Processing Agreement (DPA) with the hotelier to confirm that the vendor is compliant with the rules of the GDPR. The DPA must dictate the purposes for which the processor is processing the data.
If a hotel is using a software given to it by its brand or flag, it may not be in complete control of how the gathered information will be used. In that case, as joint controllers of the data, the hotel and its brand would need to draw up a contract that explicitly states their relationship with regards to managing data. Both parties would need to communicate the relationship to both guests and employees.
4. What do Hotels need to do about their vendors?
For each vendor that processes guests’ personal information, a hotel needs to do the following:
1. Determine the type of data the vendor processes.
2. Determine the purpose for which the processing is happening.
3. Obtain a Data Processing Agreement.
4. If the vendor is outside the EU, sign the standard contractual clauses (usually part of the Data Processing Agreement mentioned above), or confirm that the vendor is a member of the Privacy Shield.
5. Mention the vendor in the hotel’s privacy policy, along with the purpose of the vendor and how the data will be used.
5. Communication of Privacy Notices to Guests.
You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation. You should review how you seek, record, and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard.
Hoteliers may need to speak with customers at check-in if explicit consent is required for any forms of data collection that require it, such as consent to marketing communications. All loyalty programs need to be examined for similar requirements if data is used in a way that requires consent.
6. Is database encryption necessary?
It depends. The GDPR recommends that companies take steps to protect all personal data, but it does not specify what those steps have to be. Instead, companies are asked to identify the risks to personal data and do what is appropriate for those risks. Encryption is one of many options available to protect data, but it is not specifically required by the GDPR.
7. How Should Hotels Handle Children’s data?
Within the EU/EEC, a “child” is defined as someone younger than a country-defined age between 13 and 16. For most cases, hotels will not need to rely on children’s’ or parent’s consent to process guest information, since the primary basis for data processing is handling reservations. However, in cases where consent is the basis for data processing, for example, for marketing purposes, children’s data needs to be handled with extra care.
You should start thinking now about whether you need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity. Children’s data can only be handled with explicit consent when consent is required.
8. Do Hotels in India need to Compulsorily Comply with the GDPR?
According to Article 3 of the GDPR, the regulations cover activity happening within the EU or data processing by organizations based in the EU. When an EU citizen travels outside the EU, their activities outside the EU are no longer protected by the GDPR unless the organization processing the data is based in the EU.
However, a booking process that happens between a person in the EU and a hotel outside the EU is considered covered by the GDPR. Data that is collected in the EU during that process is an activity happening within the EU. So hotels outside the EU do collect data that is covered by the GDPR as part of the online reservation process. This data needs to be protected with the appropriate safeguards dictated above.
9. What are the consequences of Non-Compliance?
Businesses can have fines of up to 4% of annual global turnover or $24.6 million (€20 million), whichever is higher for not complying with the GDPR rules.
******************************THE END******************************
Prepared By: Nikhil Naren
Intern, Scriboard