Within Edgar, Dunn & Company (EDC), the Travel Practice team provides advice on various topics to players in the travel space, including hoteliers.  As we move towards the deadline, EDC has been keen to understand the implications of the General Data Protection Regulation (GDPR) for hotels.  Considering that GDPR is the biggest shake-up of data protection laws for 20 years, EDC wanted to conduct a survey of hoteliers to uncover answers to the following question – are hoteliers ready for GDPR compliance?  Our original working hypothesis can be summarised into three key areas:

  1. For medium and large hotels, the GDPR will have a significant impact on their business operations, but they are not likely to be GDPR compliant in time, by May 2018
  2. There would be a close correlation between how payments are processed within a hotel, from booking through to check-out, and the collection, storage and processing of personal consumer data (as defined by the GDPR)
  3. The GDPR challenges faced by hotels will be similar for other travel-related businesses, such as train operators, and airlines

The new GDPR will strengthen and harmonise data protection laws across Europe from 25 May 2018.  As the GDPR will replace the current Directive and take the form of a Regulation, this means it will be enforceable by law immediately in all Member States, without the need to transpose it into national laws. The UK Government has confirmed that its decision to leave the EU will not affect the commencement of the GDPR.

The GDPR will have a huge impact on the protection of data, data privacy and the rights of data subjects (people who reside in the European Union).  This is not just about EU citizens, it is about everyone who resides in the EU.

According to Eurostat, there are an estimated 510 million citizens living in the EU and 2.4 million of them are from non-member EU countries. The United Nations World Tourism Organisation (UNWTO) recently published ‘Tourism Highlights’ report, which stated that the EU is a major tourist destination, with four of its Member States among the world’s top 10 destinations in 2016.  According to the UNWTO, there are around 124 million people traveling to the EU from non-EU countries every year, who will stay overnight in a hotel and, therefore, they will fall within the GDPR remit.  Furthermore, GDPR applies to stored EU citizens’ data, independently of where guests stay around the world.  Based on Eurostat, there are 71 million EU citizens travelling to non-EU countries per year.  Essentially, the GDPR will impact all businesses in the hospitality sector worldwide.

The results of our survey highlight that most medium and large hotel brands operate with a highly fragmented or a poorly defined data management system.  We could, therefore, expect that many hotels will not be compliant when the GDPR requirements take effect.  Aligning data processing policies and procedures with the GDPR requirements will take most organizations longer than they anticipated.

Survey Methodology

EDC approached more than 300 UK-based hotels to conduct this survey.  They varied in size, some small (less than 100 rooms), some medium (101 to 199 rooms) and some belonging to large international hotel chains, with more than 200 rooms.  We asked them to complete an online GDPR survey which was open between September and November 2017.  The findings described in this article provide a representative sample of the opinion of experts and vendors from the hotel industry across the UK.  We believe the UK hotels are representative of other European hotels but outside Europe, GDPR awareness amongst hoteliers is alarmingly limited.

The objective of conducting this survey was to gain a better understanding of the needs of hotels in terms of data security, their knowledge of the implications of the GDPR and the potential changes that could affect the way hotels operate.  Additionally, several qualitative telephone interviews were performed on both sides of the Atlantic with leading hotel vendors, such as Property Management System (PMS) providers, channel managers, etc. to obtain an in-depth analysis of the current situation.  These interviews were helpful for exploring what hotels are currently thinking about their GDPR plans and their expectations as to when they will become GDPR ready.

Controller Or Processor?

One fundamental aspect of the new regulation is that the basic concept of a data ‘controller’ and ‘processor’ remain essentially unchanged under the GDPR.  However, their respective obligations are significantly amended.  Just to be clear, a ‘controller’ means the natural or legal person, or agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.  For our survey, the data controller is the hotel.  The ‘data subject’ is the guest who stays at the hotel.  On the other hand, a ‘processor’ means a natural or legal person, agency or any other body which processes personal data on behalf of the controller.  Basically, all the software vendors, IT platform suppliers, loyalty program member and service providers that may be handling the guest’s personal data on behalf of the hotel are categorised as data processors.

Interestingly, our telephone interviews with data processors implied that they were not responsible for GDPR compliance and responsibility was solely with the data controllers.  (This is not entirely true).  Nonetheless, further questioning found that the majority of vendors did not know when they would become GDPR compliant.  There appears to be some confusion in this area and we would expect numerous cases of finger-pointing after 25 May 2018; cases where data controllers will declare that GDPR compliance is partially the responsibility of the processor, whereas data processors will claim something else.

Through conversations with non-EU players, it appeared that some vendors from North America seem to be entirely unaware of the GDPR or the need to comply.

Not Enough Awareness And Not Enough Action

A significant finding from our hotel survey was that 57 percent of the respondents admitted that they have not started the process of GDPR implementation.  This took us by surprise, considering that at the time of closing the survey, there were only 6 months left until May 2018.  In order to validate our findings, we explored whether there were any other surveys conducted on the topic within the hotel industry.  Unfortunately, there were no comparable hotel surveys available in the public domain.  However, at a similar time, a survey conducted by the International Association of Privacy Professionals (IAPP), in coordination with TRUSTe, found slightly more advanced preparations.  The IAPP survey, which nonetheless did not focus on the hotel industry, stated that 67 percent of EU companies reported having begun a GDPR implementation.  This is a stark contrast with our findings, which may derive from the fact that the IAPP surveyed all types of companies, without focusing solely on hotels.

Our concern is that the hotels appear to be spending a significant amount of time understanding the legislation and making plans to be GDPR-ready instead of setting up an ongoing GDRP implementation strategy.  During some of our qualitative interviews with a larger hotel group, with over 2,500 rooms, we found out that they were further along with their GDPR implementation plans.  However, our findings also revealed that, amongst medium and smaller hotels (with less than 2,500 rooms), there is a huge lack of GDPR planning or implementation.

When required to select the closest description of their GDPR plans, 39 percent of our survey respondents pointed out they had not started the implementation phase, but they were working on their GDPR plan.  Meanwhile, 18 percent of them indicated that they have a plan in place, but have not started working on the implementation aspect.  Only 23 percent of hotels surveyed revealed to have a GDPR implementation plan internally.

A standard dataset within a hotel database typically includes the following items, e.g. guest names, addresses, date of birth, credit card details, the guest’s passport details, as well as aspects related to preferred dietary requirements, etc.  This information is normally held for all guests, whether they are staying for leisure or business.  This is therefore considered as sensitive data that could be used to carry out identity or credit card fraud.  Hence, it is clear there is a close correspondence between Payment Card Industry Data Security Standard (PCI DSS) and the GDPR.  We like to think that PCI DSS is the technical part of managing data security, whereas the GDPR is the people’s side managing data security.

Given the relationship between PCI DSS and GDPR, hotels must develop a detailed description of the processes that follow specific internal risk management policies.  In this sense, the GDPR requires all businesses to have a clearly documented data map – detailing the people, processes, platforms and the places where all personal data is located.

Hotels Are More Vulnerable To Data Breaches

In the survey, we were interested in understanding whether the hotel industry is more vulnerable to data breach than any other sector, such as general retailing.  Faced with the question, 67 percent of respondents responded that was the case.  This figure may be slightly over magnified as our survey was live during a time where it was widely reported that Hyatt Hotels had discovered unauthorized access to payment card information.  This happened at certain Hyatt-managed locations worldwide between March and July 2017.  Hyatt confirmed the incident included payment card data, such as cardholder name, card number, expiration date and the verification code, originating from cards manually entered or swiped at the hotels’ front desk.  Although none of the locations where data breach occurred was in the EU, there is a high probability that the data would have belonged to EU data subjects.  Under the GDPR, a data breach will now mean that the data controller, in this case, Hyatt Hotels, will be required to notify the European Regulator within 72 hours of a breach where this is likely to result in a risk to the rights and freedoms of EU data subjects. Other hotel brands have recently had similar data breaches – Hilton Hotels and Trump Hotels are two other examples.  Whilst incidents involving large hotel groups are most likely to reach the press, data breaches can happen in any hotel, regardless of its size.

According to Verizon’s 2016 Data Breach Investigations Report, the hotel industry accounts for one of the highest numbers of breaches in any sector and has the highest volume, when it comes to lost cards following an incident.  Verizon reports that this is ‘unsurprising, as they process information which is highly desirable to financially motivated criminals’.  This concurs with our survey findings.

Hotel Data Or Processor Data

Guest data is handled in silos according to 40 percent of the survey respondents.  On the other hand, 40 percent of them indicated there was a single customer relationship management database, whereas, 20 percent of the respondents surveyed did not know where guest data was held.  Guest data may be stored centrally or spread across a variety of hotel systems.  However, we found out that Data Security or Data Protection Officers do not have a clear vision of who uses guest data, when these are used and in which department they are used.  Article 30 of the GDPR clearly states that each hotelier, i.e. the data controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility.  Similarly, each data processor and, where applicable, the processor’s representative shall maintain a record of all categories of processing activities carried out on behalf of a controller.

In plain English, this means that all suppliers to the hotel which uses the guest’s personal data, from caterers to cleaners, from channel managers to property management system suppliers, from Online Travel Agencies through to Global Distribution Systems, must be reviewed.  Hotels, as data controllers, must place more emphasis on re-negotiating data processing agreements as processors seek to ensure that increased costs of GDPR compliance are reflected in the rate of their services.  The scope of the controllers’ responsibilities is clear and the risks must be appropriately allocated to the right third-party suppliers.  With this challenge in mind, EDC believes this is the ideal time to refresh and re-negotiate contracts between hotels and their suppliers.

According to some of our vendor interviews, the suppliers are expected to be a weak link in an otherwise secured environment.  More and more hotels are combining the need that their third-party suppliers must be GDPR-ready, as well as PCI DSS compliant.

What Is The Greatest Challenge

It was very revealing when the survey respondents were asked where, within the hotel’s operation, the greatest GDPR challenge lies.  Half of the survey respondents pointed out that their greatest challenge is the absence of qualified staff.  This is probably because there is generally a lack of GDPR experience right across the hotel industry as it is the case in other types of businesses.  In hindsight, it was like asking a computer programmer in 1999 what they would expect from a computer system at the change of the millennium.  At the time, no one had experienced a change from 1999 to 2000, just as there is no one in business today who has become fully GDPR compliant. As the Regulation has statements such as, ‘ensures an adequate level of protection’ are bound to be open to interpretation.  Are we expecting the GDPR to be like the anti-climax of the Y2K problem that computer systems faced in 1990’s?  On the contrary, the GDPR involves a large number of people and a wider range of the operational aspects of the hotel business, so there is a real lack of understanding of how far reaching this piece of legislation will have.  This was apparent in the survey and in our interviews with suppliers.  33 percent of our survey respondents stated that they did not understand where the GDPR would have an impact, while 35 percent of them indicated they lacked support from their suppliers.

Time For Data Mapping

It was perhaps not surprising to realise that hoteliers were unsure what items of personal data would be adequate and relevant for their operation.  In particular, the GDPR requires ensuring that the period for which the personal data items are stored is limited to a strict minimum.  Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means.  To ensure that the personal data is not kept longer than necessary, time limits should be established by the hotel for deletion or for a periodic review.  Every reasonable step should be taken to certify that personal data items, which are inaccurate, are rectified or deleted.

Almost 50 percent of survey respondents affirmed that a minimal viable compliant project will be pursued but it was not the right time to review which personal data items are captured, processed, stored and maintained.  When launching the survey, it was obvious that there was no time to streamline or right-size the personal data items that are held by hotels.  There was an impression that the main priority was to create a data map of the current situation, as required by Article 30 of the GDPR.  Only a third of the survey respondents indicate they would be consolidating and cleaning out the customer database.  By December 2017, there is simply not enough time to be clever and redesign any guest databases or related processes.

Our survey found that 34 percent who responded stated that there was an opportunity to create new processes which will allow for improved permission-based marketing.  This closely relates to the requirements to capture the guest’s consent to the processing of his or her personal data for one or more specific purposes.  Marketing and sales promotions in the hotel trade heavily rely on personal data.  Therefore, personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including preventing unauthorised access to or use of personal data.

A lot of hotels do not know which guests have given their consent to direct marketing and those who have not.  The UK pub chain J.D. Wetherspoon deleted its entire email mailing list.  This was announced in June 2017 in an email from their chief executive John Hutson.  “Many companies use email to promote themselves, but we don’t want to take this approach – which many consider intrusive,” Hutson wrote to subscribers. “Our database of customers’ email addresses, including yours, will be deleted”.  It is unclear whether this announcement was related to a lack of a return on investment in becoming GDPR compliant, relative to the benefits of holding an email mailing list; especially, where the concept or the manner to obtain customer consent could be vague.  Conversely, in March 2017, the airline Flybe was fined £70,000 (around $93,000) by the Information Commissioner’s Office (ICO) after sending more than 3 million emails under the title “Are your details correct?”.

While a GDPR implementation project will have an obvious focus on compliance, the survey questioned whether hoteliers were looking to deliver an improved customer experience.  Only 16 percent of hoteliers indicated they would look to leverage GDPR, such as data portability, right to be forgotten, subject access rights, as a means of improving the customer experience.

There appears to be a lack of vision in the identification of new business opportunities that compliance with GDPR is expected to provide.  Trust in personal data is expected to be a service differentiator in the future.  Many hotels (and merchants) have already made investments in the design of the customer experience.  Now privacy by design will be unequivocally linked.

How Much Will This Cost?

Our survey did not specifically inquire about the cost of GDPR implementation but a recent survey by TrustArc did focus on GDPR spending.  In their survey, 69 percent of UK respondents expected that their GDPR spending will be at least $100,000.  Other results of the TrustArc survey are summarised in this table:

During our qualitative interviews, we spoke to data processors, hotel vendors, and a couple of small hotels with 100 to 200 rooms, and one well-known national brand.  They estimate a budget of between $500,000 and $1 million in the first year of getting GDRP ready.  Larger hotel groups will have a greater budget specifically for GDPR and a sum above $5 million will not be uncommon.  One of the interviewees revealed that the GDPR related expenditure on external consultants could reach approximately $3 million in the next three months.  None of these conversations indicated that this level of spending would be reduced following the May 2018 deadline, because they felt that GDPR will not fade.  Unlike the Y2K problem, it will require continuous investment over the next few years and eventually become an operational expense.  Ongoing monitoring, procedures and processes will have to be improved as they deal with the operational challenges of subject access requests, requests to be forgotten, improved management of data subject consent, management of marketing databases, reward programs, gift card and voucher programs, etc.

Data breach reporting and management must be established and will have to be tested with all suppliers handling hotel’s consumer data.

How Can Edgar, Dunn & Company Help?

By working with EDC, there are three steps to follow for getting ready for GDPR, fast-tracking your strategies to ensure GDPR compliance or improving your existing plans:

  1. A light-touch health check – we suggest no more than a few days to assess your current roadmap and readiness against the GDPR requirements – essentially, this is a gap-analysis In some cases, where there is an on-going in-house GDPR project, it is advisable to gain an outside independent perspective of your plans
  2. An in-depth data mapping of the current processes, people, platforms and places – as required by Article 30 in the GDPR – we use a range of sophisticated GDPR-ready documentation tools which best suit your business to perform this step
  3. Change management project – creation of new policies, such as Subject Access Request (SARs) policy, retention policy, privacy policy across all customer touch points.  This step will include staff awareness and training.  We work with lawyers and solution vendors where necessary to conduct this step.

Based on our conversations with a range of hotels and their suppliers, the GDPR challenges they are experiencing today are very similar to other travel-related businesses, such as train operators and airlines.  The higher the propensity for personal data needed in the booking and servicing of guests and travellers, the greater the need for a clear GDPR strategy and the need to embrace privacy by design.

We have found that most hoteliers and merchants that process personal data are focusing their limited resources on the processes to be compliant with GDPR.  At this stage, this is appropriate and to be expected.  However, at Edgar, Dunn & Company, we believe that the next wave of GDPR frenzy (i.e. post 25 May 2018) will be driven by the need to be more visionary in the identification of new business opportunities that will leverage data portability, access to centralised customer data and the monetisation of data.