2. 2
Contents
Introduction………………………………………………………………………... 3
Are Hoteliers Ready For GDPR?.............................…………………………………4
Survey Methodology………………………………………………………………. 5
Controller Or Processor? …………..……………………………………………… 6
Not Enough Awareness And Not Enough Action ………………………………... 7
Hotels Are More Vulnerable To Data Breaches …………………………………...9
Hotel Data Or Processor Data……………………………………………………...10
What Is The Greatest Challenge?………………………………………………….. 11
Time For Data Mapping…………………………………………………………….12
How Much Will This Cost?..……………………………………………………….. 14
How Can Edgar, Dunn & Company Help?……………………………………….… 15
3. 3
Introduction
The General Data Protection Regulation (GDPR), considered to be the biggest shake up of data
protection laws for 20 years, will come into force in the European Union (EU) Member States
on 25 May 2018. Edgar, Dunn & Company (EDC) has just completed a survey of 300 hoteliers
around the UK to gain a better understanding of the current status of their GDPR plans. The
results show that 57 percent of them have not started the process of GDPR implementation yet.
Only a third of the surveyed respondents are planning to consolidate and clean out their
customer databases.
There are just six months to become GDPR compliant and if you want to learn more about the
implications of this upcoming regulation for hotels worldwide.
4. 4
Are Hoteliers Ready For GDPR?
Within Edgar, Dunn & Company (EDC), the Travel Practice team provides advice on various
topics to players in the travel space, including hoteliers. As we move towards the deadline, EDC
has been keen to understand the implications of the General Data Protection Regulation
(GDPR) for hotels. Considering that GDPR is the biggest shake up of data protection laws for 20
years, EDC wanted to conduct a survey of hoteliers to uncover answers to the following
question - are hoteliers ready for GDPR compliance? Our original working hypothesis can be
summarised into three key areas:
1. For medium and large hotels, the GDPR will have a significant impact on their
business operations, but they are not likely to be GDPR compliant in time, by May
2018
2. There would be a close correlation between how payments are processed within a
hotel, from booking through to check-out, and the collection, storage and
processing of personal consumer data (as defined by the GDPR)
3. The GDPR challenges faced by hotels will be similar for other travel-related
businesses, such as train operators, and airlines
The new GDPR will strengthen and harmonise data protection laws across Europe from 25 May
2018. As the GDPR will replace the current Directive and take the form of a Regulation, this
means it will be enforceable by law immediately in all Member States, without the need to
transpose it into national laws. The UK Government has confirmed that its decision to leave the
EU will not affect the commencement of the GDPR.
The GDPR will have a huge impact on the protection of data, data privacy and the rights of data
subjects (people who reside in the European Union). This is not just about EU citizens, it is
about everyone who resides in the EU.
According to Eurostat, there are an estimated 510 million citizens living in the EU and 2.4 million
of them are from non-member EU countries. The United Nations World Tourism Organisation
(UNWTO) recently published ‘Tourism Highlights’ report, which stated that the EU is a major
tourist destination, with four of its Member States among the world’s top 10 destinations in
2016. According to the UNWTO, there are around 124 million people traveling to the EU from
non-EU countries every year, who will stay overnight in a hotel and, therefore, they will fall
within the GDPR remit. Furthermore, GDPR applies to stored EU citizens’ data, independently
of where guests stay around the world. Based on Eurostat, there are 71 million EU citizens
travelling to non-EU countries per year. Essentially, the GDPR will impact all businesses in the
hospitality sector worldwide.
The results of our survey highlight that most medium and large hotel brands operate with a
highly fragmented or a poorly defined data management system. We could therefore expect
that many hotels will not be compliant when the GDPR requirements take effect. Aligning data
processing policies and procedures with the GDPR requirements will take most organizations
longer than they anticipated.
5. 5
Eria nimoditatia voluptatas aut la nimint
molore velenda debissitio.
Survey Methodology
EDC approached more than 300 UK-based hotels to conduct this survey. They varied in size,
some small (less than 100 rooms), some medium (101 to 199 rooms) and some belonging to
large international hotel chains, with more than 200 rooms. We asked them to complete an
online GDPR survey which was open between September and November 2017. The findings
described in this article provide a representative sample of the opinion of experts and vendors
from the hotel industry across the UK. We believe the UK hotels are representative of other
European hotels but outside Europe, GDPR awareness amongst hoteliers is alarmingly limited.
The objective of conducting this survey was to gain a better understanding of the needs of
hotels in terms of data security, their knowledge of the implications of the GDPR and the
potential changes that could affect the way hotels operate. Additionally, several qualitative
telephone interviews were performed on both sides of the Atlantic with leading hotel vendors,
such as Property Management System (PMS) providers, channel managers, etc. to obtain an in-
depth analysis of the current situation. These interviews were helpful for exploring what hotels
are currently thinking about their GDPR plans and their expectations as to when they will
become GDPR ready.
6. 6
Controller Or Processor?
One fundamental aspect of the new regulation is that the basic concept of a data ‘controller’
and ‘processor’ remain essentially unchanged under the GDPR. However, their respective
obligations are significantly amended. Just to be clear, a ‘controller’ means the natural or legal
person, or agency or any other body which, alone or jointly with others, determines the
purposes and means of the processing of personal data.
For our survey, the data controller is the hotel. The ‘data subject’ is the guest who stays at the
hotel. On the other hand, a ‘processor’ means a natural or legal person, agency or any other
body which processes personal data on behalf of the controller. Basically, all the software
vendors, IT platform suppliers, loyalty program member and service providers that may be
handling the guest’s personal data on behalf of the hotel are categorised as data processors.
Interestingly, our telephone interviews with data processors implied that they were not
responsible for GDPR compliance and responsibility was solely with the data controllers. (This
is not entirely true). Nonetheless, further questioning found that the majority of vendors did
not know when they would become GDPR compliant. There appears to be some confusion in
this area and we would expect numerous cases of finger-pointing after 25 May 2018; cases
where data controllers will declare that GDPR compliance is partially the responsibility of the
processor, whereas data processors will claim something else.
Through conversations with non-EU players, it appeared that some vendors from North
America seem to be entirely unaware of the GDPR or the need to comply.
7. 7
Not Enough Awareness And Not Enough Action
A significant finding from our hotel survey was that 57 percent of the respondents admitted
that they have not started the process of GDPR implementation. This took us by surprise,
considering that at the time of closing the survey, there were only 6 months left until May 2018.
In order to validate our findings, we explored whether there were any other surveys conducted
on the topic within the hotel industry.
Unfortunately, there were no comparable hotel surveys available in the public domain.
However, at a similar time, a survey conducted by the International Association of Privacy
Professionals (IAPP), in coordination with TRUSTe, found slightly more advanced preparations.
The IAPP survey, which nonetheless did not focus on the hotel industry, stated that 67 percent
of EU companies reported to have begun a GDPR implementation. This is a stark contrast with
our findings, which may derive from the fact that the IAPP surveyed all types of companies,
without focusing solely on hotels.
Our concern is that the hotels appear to be spending a considerable amount of time
understanding the legislation and making plans to be GDPR-ready instead of setting up an
ongoing GDRP implementation strategy. During some of our qualitative interviews with a
larger hotel group, with over 2,500 rooms, we found out that they were further along with their
GDPR implementation plans. However, our findings also revealed that, amongst medium and
smaller hotels (with less than 2,500 rooms), there is a huge lack of GDPR planning or
implementation.
8. 8
When required to select the closest description of their GDPR plans, 39 percent of our survey
respondents pointed out they had not started the implementation phase, but they were
working on their GDPR plan.
Meanwhile, 18 percent of them indicated that they have a plan in place, but have not started
working on the implementation aspect. Only 23 percent of hotels surveyed revealed to have a
GDPR implementation plan internally.
A standard dataset within a hotel database typically includes the following items, e.g. guest
names, addresses, date of birth, credit card details, the guest’s passport details, as well as
aspects related to preferred dietary requirements, etc. This information is normally held for all
guests, whether they are staying for leisure or business.
This is therefore considered as sensitive data that could be used to carry out identity or credit
card fraud. Hence, it is clear there is a close correspondence between Payment Card Industry
Data Security Standard (PCI DSS) and the GDPR. We like to think that PCI DSS is the technical
part of managing data security, whereas the GDPR is the people’s side managing data security.
Given the relationship between PCI DSS and GDPR, hotels must develop a detailed description
of the processes that follow specific internal risk management policies. In this sense, the GDPR
requires all businesses to have a clearly documented data map – detailing the people,
processes, platforms and the places where all personal data is located.
9. 9
Hotels Are More Vulnerable To Data Breaches
In the survey, we were interested in understanding whether the hotel industry is more
vulnerable to data breach than any other sector, such as general retailing. Faced with the
question, 67 percent of respondents responded that was the case. This figure may be slightly
over magnified as our survey was live during a time where it was widely reported that Hyatt
Hotels had discovered unauthorized access to payment card information. This happened at
certain Hyatt-managed locations worldwide between March and July 2017.
Hyatt confirmed the incident included payment card data, such as cardholder name, card
number, expiration date and the verification code, originating from cards manually entered or
swiped at the hotels’ front desk. Although none of the locations where data breach occurred
was in the EU, there is a high probability that the data would have belonged to EU data
subjects. Under the GDPR, a data breach will now mean that the data controller, in this case,
Hyatt Hotels, will be required to notify the European Regulator within 72 hours of a breach
where this is likely to result in a risk to the rights and freedoms of EU data subjects. Other hotel
brands have recently had similar data breaches - Hilton Hotels and Trump Hotels are two other
examples. Whilst incidents involving large hotel groups are most likely to reach the press, data
breaches can happen in any hotel, regardless of its size.
According to Verizon’s 2016 Data Breach Investigations Report, the hotel industry accounts for
one of the highest numbers of breaches in any sector and has the highest volume, when it
comes to lost cards following an incident. Verizon reports that this is ‘unsurprising, as they
process information which is highly desirable to financially motivated criminals’. This concurs
with our survey findings.
10. 10
Hotel Data Or Processor Data
Guest data is handled in silos according to 40 percent of the survey respondents. On the other
hand, 40 percent of them indicated there was a single customer relationship management
database, whereas, 20 percent of the respondents surveyed did not know where guest data
was held. Guest data may be stored centrally or spread across a variety of hotel systems.
However, we found out that Data Security or Data Protection Officers do not have a clear vision
of who uses guest data, when these are used and in which department they are used. Article
30 of the GDPR clearly states that each hotelier, i.e. the data controller and, where applicable,
the controller's representative, shall maintain a record of processing activities under its
responsibility. Similarly, each data processor and, where applicable, the processor's
representative shall maintain a record of all categories of processing activities carried out on
behalf of a controller.
In plain English, this means that all suppliers to the hotel which uses the guest’s personal data,
from caterers to cleaners, from channel managers to property management system suppliers,
from Online Travel Agencies through to Global Distribution Systems, must be reviewed. Hotels,
as data controllers, must place more emphasis on re-negotiating data processing agreements
as processors seek to ensure that increased costs of GDPR compliance are reflected in the rate
of their services. The scope of the controllers’ responsibilities is clear and the risks must be
appropriately allocated to the right third-party suppliers. With this challenge in mind, EDC
believes this is the ideal time to refresh and re-negotiate contracts between hotels and their
suppliers.
According to some of our vendor interviews, the suppliers are expected to be a weak link in an
otherwise secured environment. More and more hotels are combining the need that their
third-party suppliers must be GDPR-ready, as well as PCI DSS compliant.
11. 11
What Is The Greatest Challenge?
It was very revealing when the survey respondents were asked where, within the hotel’s
operation, the greatest GDPR challenge lies. Half of the survey respondents pointed out that
their greatest challenge is the absence of qualified staff. This is probably because there is
generally a lack of GDPR experience right across the hotel industry as it is the case in other
types of businesses.
In hindsight, it was like asking a computer programmer in 1999 what they would expect from a
computer system at the change of the millennium. At the time, no one had experienced a
change from 1999 to 2000, just as there is no one in business today who has become fully GDPR
compliant. As the Regulation has statements such as, ‘ensures an adequate level of protection’
are bound to be open to interpretation. Are we expecting the GDPR to be like the anti-climax
of the Y2K problem that computer systems faced in 1990’s? On the contrary, the GDPR involves
a large number of people and a wider range of the operational aspects of the hotel business, so
there is a real lack of understanding of how far reaching this piece of legislation will have. This
was apparent in the survey and in our interviews with suppliers.
33 percent of our survey respondents stated that they did not understand where the GDPR
would have an impact, while 35 percent of them indicated they lacked support from their
suppliers.
12. 12
Time For Data Mapping
It was perhaps not surprising to realise that hoteliers were unsure what items of personal data
would be adequate and relevant for their operation. In particular, the GDPR requires ensuring
that the period for which the personal data items are stored is limited to a strict minimum.
Personal data should be processed only if the purpose of the processing could not reasonably
be fulfilled by other means. To ensure that the personal data is not kept longer than necessary,
time limits should be established by the hotel for deletion or for a periodic review. Every
reasonable step should be taken to certify that personal data items, which are inaccurate, are
rectified or deleted.
Almost 50 percent of survey respondents affirmed that a minimal viable compliant project will
be pursued but it was not the right time to review which personal data items are captured,
processed, stored and maintained. When launching the survey, it was obvious that there was
no time to streamline or right-size the personal data items that are held by hotels. There was
an impression that the main priority was to create a data map of the current situation, as
required by Article 30 of the GDPR. Only a third of the survey respondents indicate they would
be consolidating and cleaning out the customer database. By December 2017, there is simply
not enough time to be clever and redesign any guest databases or related processes.
Our survey found that 34 percent who responded stated that there was an opportunity to
create new processes which will allow for improved permission-based marketing. This closely
relates to the requirements to capture the guest’s consent to the processing of his or her
personal data for one or more specific purposes. Marketing and sales promotions in the hotel
trade heavily rely on personal data. Therefore, personal data should be processed in a manner
that ensures appropriate security and confidentiality of the personal data, including preventing
unauthorised access to or use of personal data.
A lot of hotels do not know which guests have given their consent to direct marketing and
those who have not. The UK pub chain J.D. Wetherspoon deleted its entire email mailing list.
This was announced in June 2017 in an email from their chief executive John Hutson. “Many
companies use email to promote themselves, but we don't want to take this approach – which
many consider intrusive,” Hutson wrote to subscribers. “Our database of customers’ email
addresses, including yours, will be deleted”.
It is unclear whether this announcement was related to a lack of a return on investment in
becoming GDPR compliant, relative to the benefits of holding an email mailing list; especially,
where the concept or the manner to obtain customer consent could be vague. Conversely, in
March 2017, the airline Flybe was fined £70,000 (around $93,000) by the Information
Commissioner’s Office (ICO) after sending more than 3 million emails under the title “Are your
details correct?”.
13. 13
While a GDPR implementation project will have an obvious focus on compliance, the survey
questioned whether hoteliers were looking to deliver an improved customer experience. Only
16 percent of hoteliers indicated they would look to leverage GDPR, such as data portability,
right to be forgotten, subject access rights, as a means of improving the customer experience.
There appears to be a lack of vision in the identification of new business opportunities that
compliance with GDPR is expected to provide. Trust in personal data is expected to be a service
differentiator in the future. Many hotels (and merchants) have already made investments in
the design of the customer experience. Now privacy by design will be unequivocally linked.
14. 14
Given the relationship between PCI DSS and GDPR, hotels must develop a detailed
description of the processes that follow specific internal risk management policies. In this
sense, the GDPR requires all businesses to have a clearly documented data map – detailing
the people, processes, platforms and the places where all personal data is located.
How Much Will This Cost?
Our survey did not specifically inquire about the cost of GDPR implementation but a recent
survey by TrustArc did focus on GDPR spending. In their survey, 69 percent of UK respondents
expected that their GDPR spending will be at least $100,000. Other results of the TrustArc
survey are summarised in this table:
During our qualitative interviews, we spoke to data processors, hotel vendors, and a couple of
small hotels with 100 to 200 rooms, and one well-known national brand. They estimate a
budget of between $500,000 and $1 million in the first year of getting GDRP ready. Larger hotel
groups will have a greater budget specifically for GDPR and a sum above $5 million will not be
uncommon. One of the interviewees revealed that the GDPR related expenditure on external
consultants could reach approximately $3 million in the next three months. None of these
conversations indicated that this level of spending would be reduced following the May 2018
deadline, because they felt that GDPR will not fade.
Unlike the Y2K problem, it will require continuous investment over the next few years and
eventually become an operational expense. Ongoing monitoring, procedures and processes
will have to be improved as they deal with the operational challenges of subject access
requests, requests to be forgotten, improved management of data subject consent,
management of marketing databases, reward programs, gift card and voucher programs, etc.
Data breach reporting and management must be established and will have to be tested with all
suppliers handling hotel’s consumer data.
15. 15
How Can Edgar, Dunn & Company Help?
By working with EDC, there are three steps to follow for getting ready for GDPR, fast-tracking
your strategies to ensure GDPR compliance or improving your existing plans:
1. A light-touch health check – we suggest no more than a few days to assess your
current roadmap and readiness against the GDPR requirements – essentially, this is a
gap-analysis step. In some cases, where there is an on-going in-house GDPR project, it
is advisable to gain an outside independent perspective of your plans
2. An in-depth data mapping of the current processes, people, platforms and places – as
required by Article 30 in the GDPR – we use a range of sophisticated GDPR-ready
documentation tools which best suit your business to perform this step
3. Change management project – creation of new policies, such as Subject Access Request
(SARs) policy, retention policy, privacy policy across all customer touch points. This step
will include staff awareness and training. We work with lawyers and solution vendors
where necessary to conduct this step.
Based on our conversations with a range of hotels and their suppliers, the GDPR challenges
they are experiencing today are very similar for other travel-related businesses, such as train
operators and airlines. The higher the propensity for personal data needed in the booking and
servicing of guests and travellers, the greater the need for a clear GDPR strategy and the need
to embrace privacy by design.
We have found that most hoteliers and merchants that process personal data are focusing their
limited resources on the processes to be compliant with GDPR. At this stage, this is appropriate
and to be expected. However, at Edgar, Dunn & Company, we believe that the next wave of
GDPR frenzy (i.e. post 25 May 2018) will be driven by the need to be more visionary in the
identification of new business opportunities that will leverage data portability, access to
centralised customer data and the monetisation of data.
17. 17
Edgar, Dunn & Company (EDC) is an independent global financial services and
payments consultancy. Founded in 1978, the firm is widely regarded as a
trusted advisor to its clients, providing a full range of strategy consulting
services, expertise and market insight.
From offices in Frankfurt, Istanbul, London, Paris, San Francisco, and Sydney,
EDC delivers actionable strategies, measurable results and a unique global
perspective for clients in more than 45 countries on six continents.
For more information contact: Mark Beresford
Tel: +44 (0) 7283 1114
Email: mark.beresford@edgardunn.com
http://www.edgardunn.com/
Strategy Consultants
Specialised in Payments