The GDPR (General Data Protection Regulation) is about to become effective and it is time now for the hospitality industry to become aware of this topic. The GDPR is considered the big bang for data protection. The new regulation will take effect on May 25, 2018after a 2-year transition period. As of this date, all data protection regulations currently valid across the 28 countries of the European Union will be replaced by this new regulation, making the 28 different local data protection regulations disappear. With the GDPR data protection will be Europeanized.
The new regulations of the GDPR will bring many changes and various additional obligations. This will lead to new implications for owners, managers and employees.
German companies that comply with the current local Data Protection Act have a clear advantage, as a lot of the regulations will remain the same or be similar.
Hand on heart – have you already taken measures to ensure proper data protection? I doubt that many hoteliers have spent the necessary time on this topic.
There is a difference between the so-called "data security", i.e. the technical and organizational measures, and the actual "data protection", meaning the protection of a person from excessive collection of personal data by companies, the government etc. Under data protection a person does not only include the guests, but also employees, suppliers, and other third parties. We will focus on the hotel guests, the direct clients of our industry.
Here are some good reasons why the GDPR should be taken seriously:
In other words, this is the last chance to take this topic seriously and to take respective actions.
The GDPR clearly regulates how data protection must be organized. One of the new obligations is to keep record of all data processing activities in a so-called Record of Processing Activities. All processes of an organization that involve personal data must be described and documented. The record must also indicate how long the data is stored and when it will be deleted. German organizations that have a documentation following the current German data protection regulations, can easily adapt the existing record to the new requirements. Most companies, however, have no documentation that they can build on. A typical organization has about 150 processes that have to be evaluated and documented. It can take a couple of hours to create the respective entry in the Record of Processing Activities. This gives an indication of the scope of a GDPR project and the work involved to create the required documentation. And, keeping a Record of Processing Activities is only one of a dozen requirements.
The Record of Processing Activities clearly shows where data is processed and what exactly is done with it. In the past, companies had some time to create the documentation, as any inspection was announced prior by the data protection authorities. As of May 25, 2018, however, the authorities have the right to demand the Record of Processing Activities without giving any prior notification. There are even discussions about remote access to the records. But even if the deadline was longer, it would be impossible to create a proper record, as it requires so much input by the specialist departments, such as legal, the data protection officer, IT security, etc. There will be no more buffer for a quick fix. If you want to avoid the risk of getting fined, all documents should be more or less available at hand.
The controller of the data, e.g. a hotel, will liable for the proper data processing of its suppliers, mainly the software providers ("processor"). This implies that a hotel based in Germany is fully liable for the activities of its software provider, which is based in the US or in China. The German hotel is obliged to verify, if the provider complies with the new regulations. This will be extremely challenging for most European hoteliers and might have serious consequences.
The GDPR will also bring big challenges for the industry in regards to technology. An individual hotel works with up to 15 software systems containing guest data. As of May 25, 2018, guests have the right to request information about their personal data stored by the hotel. They also have the right to demand deletion of their personal data. Further, a guest may demand transfer of his personal data back to him or to a third party, e.g. a competitor. There are certain prerequisites to this, but these are mostly met in case of guest data.
In a fully heterogeneous IT environment, it will be virtually impossible for companies to comply with the new regulations, unless they have a Central Data Management (CDM), a so-called "Above Property System", which centralizes all data streams. A CDM with its central guest profiles enables the implementation of a privacy dashboard meeting the new EU standards.
We highly recommend checking, if your software provider complies with the GDPR regulations. If not, you should switch provider and even consider taking legal action for non-compliance with the legal requirements. Data protection should be part of the software concept (Privacy by Design). And it is your right to work with partners who provide a legally compliant software. We advise to only work with software providers that guarantee legal compliance. European software companies had to comply with data protection regulations for many years already and are thus better prepared than providers, for which the complex regulations of the GDPR are new territory. Never before has it been more important to select the right software provider.
Since April 2017, dailypoint™ has been working on a holistic GDPR compliance strategy. During ITB 2018, we will present the new privacy dashboard for our dailypoint™ software products. This dashboard will be integrated as a standard module in all dailypoint™ products (kissCRM by dailypoint™, dailypoint™ 360° CDM/CRM, dailypoint™ BOOKING MANAGER and dailypoint™ SMART WLAN). For us "Privacy by Design" means that we take data privacy seriously and support our hotels to do the same.
Information Technology Property Technology Legal CRM & Loyalty
Dr. Michael Toedt is CEO and Founder at dailypoint. He is a renowned expert in the field of Big Data and CRM. Michael started his career in his parents' hotel business and the Michelin Star gastronomy. He started his second career in the field of CRM, and in 2005 founded Toedt, Dr. Selk & Coll. GmbH (TS&C). TS&C, today known as dailypoint, is recognized as a premiere software company and think tank for data-driven management. In addition to his work at dailypoint, Michael Toedt is, among other things, a lecturer at the University of Applied Sciences in Munich, Germany on the topic of "CRM in Tourism" as well as a lecturer at Hotellerie Suisse. He publishes books and professional articles in the field of CRM, Big Data and digitalization regularly. Michael wrote his doctorate on the influence of communication on sales figures in the luxury hotel industry.
Attorney-at-law Dr. jur. Robert Selk is associate partner in the law office of Dr. Schmid, Dr. Selk & Hoffmann in Munich and cofounder of Toedt, Dr. Selk & Coll. GmbH. His doctorate was completed in the internet and data protection area. Master postgraduate studies followed in European and International Business Law (Master of Law, LLM). Dr. Selk is a member of the work group IT-Law of the German Lawyers Association, the German Association for Law and Computer Sciences (DGRI), the Association for Data Protection and Security (GDD) as well as the German Data Protection Association (DVD). His activities are mainly focused on computer, internet, data protection laws and commercial legal protection/ copyright laws. Dr. Selk is Data Protection Officer in various companies and also guest lecturer at the University of Augsburg for the ecommerce field as well as lecturer at the Academy for Corporate Management of the Chamber of Commerce in Bavaria.
Augustenstr. 79
Munich80333
Germany
Phone: 49 89 189 35 69 0
[email protected]
www.dailypoint.com
English
Español
Français