The first task must be : to define the hotel ’ s core principles with respect to the guest data as it relates to GDPR . This will define the way forward , and may require a complete change of mind-set , since current industry thinking is that guest data belongs to the hotel - and not the guest . The second task must be : to define the hotel ’ s guidelines for collecting and managing PII data . The third task must be : to establish a code of conduct for the hotel and all its staff . And finally : the hotel must define audit questions that enable it to self-regulate and audit itself against its declared ambitions . Only when this is achieved can the hotel begin to address the IT security and personnel challenges .
The output from all this hard work is likely to be much the same for most hotels , and industry organisations such as Hotel Technology Next Generation ( HTNG ) are working on a core set of principles for the industry . Once completed , an audit of the hotel is likely to address such questions as :
Is guest data used for the purposes it was specifically gathered for ? Do you ensure safeguarding guest data is the responsibility of every member of the organisation ? Are policies and procedures to best protect guest data understood by relevant staff ? Are data security issues addressed in accordance with GDPR ? Do you adequately train and instruct employees to follow procedures for protecting guest data ?
Does the website publish a policy where guests are asked to ‘ opt-in ’ and to provide their consent to use data for purposes other than the primary business needs ? Is this information available in clear language , and easily accessible ? Can guests remove any data that is no longer required ? Are different policies applied to each jurisdiction the hotel operates in ? Can guests easily request corrections to their information , and are they informed on the status of requested changes ? Do you communicate how long guest data is kept , and do you remove data that is no longer required ?