GDPR: WHAT HOTELS NEED TO KNOW

AND HOW TO PREPARE

A GUIDE TO BEING GDPR-READY

BY MARGARET MASTROGIACOMO
VICE PRESIDENT STRATEGY
 2

W H AT I S T H E G D P R ?

The GDPR is a regulation in EU law on data protection and privacy for all individuals within the
European Union, and it addresses how companies manage, use, and share personal data. The GDPR
will take effect on May 25, 2018. The GDPR applies to natural persons, whatever their nationality
or place of residence, whose personal data is processed and whose behavior is monitored while
within the EU. This change in legislation means that nearly every online service is affected, and the
regulation has already resulted in significant changes for US users as companies begin to adapt.

The foundation of the GDPR builds on rules set by earlier EU privacy measures like the Privacy
Shield and Data Protection Directive, and expands on these privacy measures in two critical ways.

M O S T I M P O R TA N T C H A N G E S W I T H T H E G D P R

1. The definition of and requirements around personal data have been expanded.
 First, the GDPR defines personal data as any information that can be used to directly or
indirectly identify a data subject, such as an IP address. The GDPR sets a higher standard for
collecting personal data than ever before. By default, any time a company obtains personal
data on an EU resident, it will need a legal basis for collecting that data, such as explicit and
informed consent from that person. Even more importantly, users also need a way to revoke
that consent, and they can request all the data a company has collected on them as a way to
verify that consent. These strong regulations explicitly extends to companies based outside
the EU.

2. The penalties are more severe.

 The GDPR’s penalties are severe and have two tiers of fines. The maximum fines per violation
are set at up to four percent of a company’s annual global revenue or 20 million Euros,
whichever is larger. The lower level fines are up to two percent of a company’s annual global
revenue or 10 million Euros, whichever is larger. These penalties far exceed fines allowed by
the Data Protection Directive, and it signals how serious the EU is taking data privacy.

AVO I D M I S CO N C E P TI O N S A N D G E T TO KN OW TH E FAC TS .

1. The GDPR affects 2. Hotels are liable for 3. One price point for all
 hotels across the globe:

The GDPR applies to all

 the GDPR:

Regardless of its partners

 of the EU:

properties that target EU
residents as customers
no matter where they
are located. This means
that the GDPR affects
all hotels in the US and
locations around the
world, not just Europe.
or solutions provider,
the hotel—which,
according to the GDPR,
would be considered
the data controller—is
ultimately responsible
for using tools that are
in compliance with the
GDPR.
Commonly overlooked
regarding the GDPR,
it’s important to note
that hotels cannot use
profiling to set prices
based on an EU visitor’s
location.

hebsdigital.com | [email protected]

H O W D O E S T H E G D P R A P P LY T O Y O U R
H O T E L’ S D ATA P O L I C Y ?
The GDPR affects your hotel’s data policy regarding EU website visitors in six main ways.
1. Getting consent
Visitors to your website must understand exactly
how you are planning to use their data, and the
legal basis for why you are collecting the data.
Unambiguous and affirmative consent is a key
part of GDPR legislation and it is important for
any hotel website that collects personal data to
obtain specific permission to use it in the course
of their business. If you are requesting consent
from the customer, the user must agree to each
specific purpose. For example, if you have the
email address of someone who booked with
your hotel, you are only allowed to market to
them if they have explicitly agreed to it. Similarly,
privacy notices may require rewriting to be in
line with the GDPR rules. Privacy Policies and
Terms of Service must be simple to understand
and free of jargon; a good rule of thumb here is
that a 16-year-old should be able to understand
the Terms of Service.
2. Accessing data
A main component of the GDPR is being fully
aware of who has access to personal data that
is logged and stored on your hotel website’s
content management system or database. The
first step is to compile a list of the individuals
who have access to this data. Next, determine
whether everyone on the list requires this level of
access. If the answer is no, permission should be
revoked and measures must be implemented to
control future access.
There must also be a robust process in place
for deleting data that is no longer relevant
or required, as companies are not allowed to
hold on to this for any longer than is absolutely
necessary.
3
3. Data accountability
Regardless of your solutions provider, hotels
are ultimately responsible for using tools in
compliance with the GDPR. In light of this,
hotels should audit any external agencies they
use that might have access to their data to
ensure that their procedures are compliant. As
the data owner (controller) you are ultimately
responsible for this, even if you have outsourced
elements of the process, so keep a record of
measures you have taken to ensure all partners
are acting in line with the GDPR regulations. All
of your partners should be able to clearly explain
what measures they have taken to maintain
maximum security of the data you provide.
4. Data accuracy
All personal data must be accurate and kept
up-to-date. Every reasonable step must be taken
to ensure that personal data is correct in regard
to the purposes for which the data is processed,
and that personal data is erased or rectified
without delay if inaccurate.
5. Data minimization
Websites should collect only the minimum
amount of customer data to do the job, as well
as adhere to the “storage limitation principle”
6. Data portability and the “Right to be
Forgotten”
All website users have the right to receive their
personal data that was previously collected in a
readable format, as well as own the “Right to be
Forgotten” which grants consumers the ability
to easily have all of their data deleted from the
hotel database.
hebsdigital.com | [email protected]
 4

HOW CAN YOUR HOTEL PREPARE FOR THE GDPR?

The GDPR affects your hotel website, data strategy, digital marketing, and online
merchandising. Below are the top ways you can prepare for the GDPR:

PREPARING YOUR HOTEL WEBS ITE

Update your Privacy Policy and Terms and

 Conditions.

First and foremost, your hotel website’s Privacy Policy

and Terms and Conditions should be updated to
reference GDPR rules and regulations. In particular,
you will need to be transparent about what you will
do with personal information once you’ve collected it,
and how long you will retain this information on your
website and in any other databases.

Ensure your website is secure.

 Your hotel website should have an SSL (Secure Sockets
Layer) Certificate to ensure that all data processing
through the website is secure. If your website has an
SSL Certificate, the domain will begin with “https,”
rather than “http.” SSL Certificates secure all of your
data as it is passed from your browser to the website’s
server regulations.

 Ensure the ability for people to opt out or erase their personal data.

The GDPR clearly states that a data subject should be able to withdraw consent as easily as they
gave it under the “Right to be Forgotten” clause. Controllers must inform data subjects of the right
to withdraw before consent is given.

Update email opt-in to default to “no” and include specific check boxes for every opt-in.
 Forms that invite users to subscribe to newsletters or indicate contact preferences must default
to “no” or be an un-checked opt-in box. You should also ensure that users provide consent for all
ways your hotel will be utilizing their data. For instance, if a user is opting in for email newsletters,
this does not mean they are opting in for that email to be used for look-a-like audience marketing.
Ultimately, hotels must set up a specific checkbox or form of consent for each separate use of
guests’ data. And finally, to ensure that you are in complete GDPR compliance, it’s important to
implement a double opt-in process.

All web forms must clearly identify named parties.

 Your web forms must clearly identify each party for which the consent is being granted. It is
important to note that it isn’t enough to include specifically defined categories of third-party
organizations—they must be named in full. For example, your consent form cannot simply say
third-party ad networks, it needs to specifically name the ad networks where ads will appear.

hebsdigital.com | [email protected]
 5

P R E PA R I N G YO U R DATA S T R AT E G Y

Once you’ve collected user data from EU residents or anyone living within the EU, it’s important
to follow key protocols regarding the use and removal of this data. It is also extremely
important that everyone covered by the GDPR has an easy way to access and download any of
their personal data that has been collected. Here are some key considerations regarding your
data strategy:

1. Provide EU visitors with easy access

 to download personal data.

Your hotel website should provide a

request form where EU website visitors
can request personal data.

2. Do not keep data for longer than

 required.

While the GDPR does not state a

specified timeframe that limits data
storage, it’s a good idea to scrub
customer data once or twice a year to
ensure that all data is accurate and up-
to-date. Any inaccurate or incomplete
information should be deleted and the
hotel is responsible for clearly stating
how long the information will be stored
within the privacy policy.

3. Allow easy consent opt-out to

 address the “Right to be Forgotten”
and grant EU website visitors the
ability to delete their personal data.

Your data strategy must allow for

website visitors who previously
consented to any use of their personal
data to easily opt out or “erase” their
data, as well as update their opt-in
preferences. This user experience
should be just as seamless as opting in
and be easy to navigate on the hotel
website.

hebsdigital.com | [email protected]
Overall, it’s not only important to familiarize yourself and your hotel staff with the
GDPR, it’s important to ensure that all of your bases are covered. With the official
launch of the GDPR on May 25, 2018, you can prepare for what’s next by checking
out additional resources from The UK Information Commissioner’s Office, and by
reviewing your policies with a data privacy consultant and your legal team.

ABOUT US

Founded in 2001, the firm is headquartered in New York City and has global offices in Las Vegas, Tallinn, Munich,
and Asia-Pacific. Through its Smart Guest Acquisition Suite, including the smartCMS®, Smart Personalization
Engine, Smart Data Marketing, and full-service digital consulting and marketing solutions, HEBS Digital helps
hoteliers drastically boost direct bookings, lower distribution costs, and increase the lifetime value of guests. Its
diverse client portfolio consists of top-tier luxury and boutique hotel chains, independent hotels, resorts and
casinos, franchised properties and hotel management companies, convention centers, spas, restaurants, DMO
and tourist offices.

Part of NextGuest Technologies, HEBS Digital and Serenata CRM, the most comprehensive Hotel CRM Suite
today, are the creators of the hospitality industry’s first Fully-Integrated Guest Engagement & Acquisition
Platform.

Please note – This document is not to be treated as legal advice. The purpose of this document is to highlight some issues
you will need to take into account when preparing for the GDPR. We are happy to explain further to you how HEBS Digital’s
products support GDPR compliance. We are, however, not licensed to provide legal advice.

hebsdigital.com | [email protected]