Hospitality Today Feb - Mar 2017 | Page 18

18
| Hospitality Today | Feb / March 2017
This is a complex task, so where do you start?
The first task must be: to define the hotel’ s core principles with respect to the guest data as it relates to GDPR. This will define the way forward, and may require a complete change of mind-set, since current industry thinking is that guest data belongs to the hotel- and not the guest. The second task must be: to define the hotel’ s guidelines for collecting and managing PII data. The third task must be: to establish a code of conduct for the hotel and all its staff. And finally: the hotel must define audit questions that enable it to self-regulate and audit itself against its declared ambitions. Only when this is achieved can the hotel begin to address the IT security and personnel challenges.
The output from all this hard work is likely to be much the same for most hotels, and industry organisations such as Hotel Technology Next Generation( HTNG) are working on a core set of principles for the industry. Once completed, an audit of the hotel is likely to address such questions as:
Personnel Challenges
Is guest data used for the purposes it was specifically gathered for? Do you ensure safeguarding guest data is the responsibility of every member of the organisation? Are policies and procedures to best protect guest data understood by relevant staff? Are data security issues addressed in accordance with GDPR? Do you adequately train and instruct employees to follow procedures for protecting guest data?
Website challenges
Does the website publish a policy where guests are asked to‘ opt-in’ and to provide their consent to use data for purposes other than the primary business needs? Is this information available in clear language, and easily accessible? Can guests remove any data that is no longer required? Are different policies applied to each jurisdiction the hotel operates in? Can guests easily request corrections to their information, and are they informed on the status of requested changes? Do you communicate how long guest data is kept, and do you remove data that is no longer required?