Also , customers ’ payment card details can be received from many sources , such as third party booking systems , point of sale systems , through the hotel website , email , fax and telephone . All of which makes hotels an attractive target for cyber criminals , and are particularly susceptible when systems fail . To ensure compliance with the GDPR , hotel businesses will need to take action now to safeguard customers ’ data records , which will frequently require a significant overhaul of current operations .
Under the GDPR , businesses are required to report a personal data breach to the supervisory authority within 72 hours . Where a personal data breach is likely to result in a high risk to the individuals affected , such as where customers ’ credit card details have been stolen , the business must communicate the breach to those individuals without undue delay . The communication must describe in clear and plain language , the nature of the breach . The most serious of breaches can incur fines of up to 4 % of a company ’ s global annual turnover or € 20 million ( whichever is greater ), not to mention the bad publicity arising from any data breach , and affected individuals may also bring claims for compensation .
Practical steps to take now
The penalties for not complying are severe along with the potential loss of reputation within the hospitality sector . However , this loss can be easily avoided if hospitality businesses start the GDPR compliance process now by taking the following steps :
make the GDPR reforms known to the highest level of decision makers ;
carry out an audit of what personal data is held , where it came from , where to find it and who it is shared with ;
eview current privacy notices / policies and identify those areas which will require updating to ensure compliance with the GDPR ;
review and update current procedures for handling subject access requests and deletion request ;
review the methods for seeking , obtaining and recording consent for marketing purposes to ensure compliance with the GDPR ;