SlideShare une entreprise Scribd logo

Gdpr 2017 Hotel survey results 7 dec 2017

Gerard Wilkinson
Gerard Wilkinson

The results of a survey conducted by Edgar Dunn & Company on GDPR in the hotel sector.

Voyages
1  sur  17
Télécharger pour lire hors ligne
2017GDPRHotel SurveyResults Edgar, Dunn & Company (EDC) has just completed a survey of 300 hoteliers around the UK to gain a better understanding of the current status of their General Data Protection Regulation (GDPR) plans.
2 Contents Introduction………………………………………………………………………... 3 Are Hoteliers Ready For GDPR?.............................…………………………………4 Survey Methodology………………………………………………………………. 5 Controller Or Processor? …………..……………………………………………… 6 Not Enough Awareness And Not Enough Action ………………………………... 7 Hotels Are More Vulnerable To Data Breaches …………………………………...9 Hotel Data Or Processor Data……………………………………………………...10 What Is The Greatest Challenge?………………………………………………….. 11 Time For Data Mapping…………………………………………………………….12 How Much Will This Cost?..……………………………………………………….. 14 How Can Edgar, Dunn & Company Help?……………………………………….… 15
3 Introduction The General Data Protection Regulation (GDPR), considered to be the biggest shake up of data protection laws for 20 years, will come into force in the European Union (EU) Member States on 25 May 2018. Edgar, Dunn & Company (EDC) has just completed a survey of 300 hoteliers around the UK to gain a better understanding of the current status of their GDPR plans. The results show that 57 percent of them have not started the process of GDPR implementation yet. Only a third of the surveyed respondents are planning to consolidate and clean out their customer databases. There are just six months to become GDPR compliant and if you want to learn more about the implications of this upcoming regulation for hotels worldwide.
4 Are Hoteliers Ready For GDPR? Within Edgar, Dunn & Company (EDC), the Travel Practice team provides advice on various topics to players in the travel space, including hoteliers. As we move towards the deadline, EDC has been keen to understand the implications of the General Data Protection Regulation (GDPR) for hotels. Considering that GDPR is the biggest shake up of data protection laws for 20 years, EDC wanted to conduct a survey of hoteliers to uncover answers to the following question - are hoteliers ready for GDPR compliance? Our original working hypothesis can be summarised into three key areas: 1. For medium and large hotels, the GDPR will have a significant impact on their business operations, but they are not likely to be GDPR compliant in time, by May 2018 2. There would be a close correlation between how payments are processed within a hotel, from booking through to check-out, and the collection, storage and processing of personal consumer data (as defined by the GDPR) 3. The GDPR challenges faced by hotels will be similar for other travel-related businesses, such as train operators, and airlines The new GDPR will strengthen and harmonise data protection laws across Europe from 25 May 2018. As the GDPR will replace the current Directive and take the form of a Regulation, this means it will be enforceable by law immediately in all Member States, without the need to transpose it into national laws. The UK Government has confirmed that its decision to leave the EU will not affect the commencement of the GDPR. The GDPR will have a huge impact on the protection of data, data privacy and the rights of data subjects (people who reside in the European Union). This is not just about EU citizens, it is about everyone who resides in the EU. According to Eurostat, there are an estimated 510 million citizens living in the EU and 2.4 million of them are from non-member EU countries. The United Nations World Tourism Organisation (UNWTO) recently published ‘Tourism Highlights’ report, which stated that the EU is a major tourist destination, with four of its Member States among the world’s top 10 destinations in 2016. According to the UNWTO, there are around 124 million people traveling to the EU from non-EU countries every year, who will stay overnight in a hotel and, therefore, they will fall within the GDPR remit. Furthermore, GDPR applies to stored EU citizens’ data, independently of where guests stay around the world. Based on Eurostat, there are 71 million EU citizens travelling to non-EU countries per year. Essentially, the GDPR will impact all businesses in the hospitality sector worldwide. The results of our survey highlight that most medium and large hotel brands operate with a highly fragmented or a poorly defined data management system. We could therefore expect that many hotels will not be compliant when the GDPR requirements take effect. Aligning data processing policies and procedures with the GDPR requirements will take most organizations longer than they anticipated.
5 Eria nimoditatia voluptatas aut la nimint molore velenda debissitio. Survey Methodology EDC approached more than 300 UK-based hotels to conduct this survey. They varied in size, some small (less than 100 rooms), some medium (101 to 199 rooms) and some belonging to large international hotel chains, with more than 200 rooms. We asked them to complete an online GDPR survey which was open between September and November 2017. The findings described in this article provide a representative sample of the opinion of experts and vendors from the hotel industry across the UK. We believe the UK hotels are representative of other European hotels but outside Europe, GDPR awareness amongst hoteliers is alarmingly limited. The objective of conducting this survey was to gain a better understanding of the needs of hotels in terms of data security, their knowledge of the implications of the GDPR and the potential changes that could affect the way hotels operate. Additionally, several qualitative telephone interviews were performed on both sides of the Atlantic with leading hotel vendors, such as Property Management System (PMS) providers, channel managers, etc. to obtain an in- depth analysis of the current situation. These interviews were helpful for exploring what hotels are currently thinking about their GDPR plans and their expectations as to when they will become GDPR ready.
6 Controller Or Processor? One fundamental aspect of the new regulation is that the basic concept of a data ‘controller’ and ‘processor’ remain essentially unchanged under the GDPR. However, their respective obligations are significantly amended. Just to be clear, a ‘controller’ means the natural or legal person, or agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. For our survey, the data controller is the hotel. The ‘data subject’ is the guest who stays at the hotel. On the other hand, a ‘processor’ means a natural or legal person, agency or any other body which processes personal data on behalf of the controller. Basically, all the software vendors, IT platform suppliers, loyalty program member and service providers that may be handling the guest’s personal data on behalf of the hotel are categorised as data processors. Interestingly, our telephone interviews with data processors implied that they were not responsible for GDPR compliance and responsibility was solely with the data controllers. (This is not entirely true). Nonetheless, further questioning found that the majority of vendors did not know when they would become GDPR compliant. There appears to be some confusion in this area and we would expect numerous cases of finger-pointing after 25 May 2018; cases where data controllers will declare that GDPR compliance is partially the responsibility of the processor, whereas data processors will claim something else. Through conversations with non-EU players, it appeared that some vendors from North America seem to be entirely unaware of the GDPR or the need to comply.
7 Not Enough Awareness And Not Enough Action A significant finding from our hotel survey was that 57 percent of the respondents admitted that they have not started the process of GDPR implementation. This took us by surprise, considering that at the time of closing the survey, there were only 6 months left until May 2018. In order to validate our findings, we explored whether there were any other surveys conducted on the topic within the hotel industry. Unfortunately, there were no comparable hotel surveys available in the public domain. However, at a similar time, a survey conducted by the International Association of Privacy Professionals (IAPP), in coordination with TRUSTe, found slightly more advanced preparations. The IAPP survey, which nonetheless did not focus on the hotel industry, stated that 67 percent of EU companies reported to have begun a GDPR implementation. This is a stark contrast with our findings, which may derive from the fact that the IAPP surveyed all types of companies, without focusing solely on hotels. Our concern is that the hotels appear to be spending a considerable amount of time understanding the legislation and making plans to be GDPR-ready instead of setting up an ongoing GDRP implementation strategy. During some of our qualitative interviews with a larger hotel group, with over 2,500 rooms, we found out that they were further along with their GDPR implementation plans. However, our findings also revealed that, amongst medium and smaller hotels (with less than 2,500 rooms), there is a huge lack of GDPR planning or implementation.
8 When required to select the closest description of their GDPR plans, 39 percent of our survey respondents pointed out they had not started the implementation phase, but they were working on their GDPR plan. Meanwhile, 18 percent of them indicated that they have a plan in place, but have not started working on the implementation aspect. Only 23 percent of hotels surveyed revealed to have a GDPR implementation plan internally. A standard dataset within a hotel database typically includes the following items, e.g. guest names, addresses, date of birth, credit card details, the guest’s passport details, as well as aspects related to preferred dietary requirements, etc. This information is normally held for all guests, whether they are staying for leisure or business. This is therefore considered as sensitive data that could be used to carry out identity or credit card fraud. Hence, it is clear there is a close correspondence between Payment Card Industry Data Security Standard (PCI DSS) and the GDPR. We like to think that PCI DSS is the technical part of managing data security, whereas the GDPR is the people’s side managing data security. Given the relationship between PCI DSS and GDPR, hotels must develop a detailed description of the processes that follow specific internal risk management policies. In this sense, the GDPR requires all businesses to have a clearly documented data map – detailing the people, processes, platforms and the places where all personal data is located.
9 Hotels Are More Vulnerable To Data Breaches In the survey, we were interested in understanding whether the hotel industry is more vulnerable to data breach than any other sector, such as general retailing. Faced with the question, 67 percent of respondents responded that was the case. This figure may be slightly over magnified as our survey was live during a time where it was widely reported that Hyatt Hotels had discovered unauthorized access to payment card information. This happened at certain Hyatt-managed locations worldwide between March and July 2017. Hyatt confirmed the incident included payment card data, such as cardholder name, card number, expiration date and the verification code, originating from cards manually entered or swiped at the hotels’ front desk. Although none of the locations where data breach occurred was in the EU, there is a high probability that the data would have belonged to EU data subjects. Under the GDPR, a data breach will now mean that the data controller, in this case, Hyatt Hotels, will be required to notify the European Regulator within 72 hours of a breach where this is likely to result in a risk to the rights and freedoms of EU data subjects. Other hotel brands have recently had similar data breaches - Hilton Hotels and Trump Hotels are two other examples. Whilst incidents involving large hotel groups are most likely to reach the press, data breaches can happen in any hotel, regardless of its size. According to Verizon’s 2016 Data Breach Investigations Report, the hotel industry accounts for one of the highest numbers of breaches in any sector and has the highest volume, when it comes to lost cards following an incident. Verizon reports that this is ‘unsurprising, as they process information which is highly desirable to financially motivated criminals’. This concurs with our survey findings.
10 Hotel Data Or Processor Data Guest data is handled in silos according to 40 percent of the survey respondents. On the other hand, 40 percent of them indicated there was a single customer relationship management database, whereas, 20 percent of the respondents surveyed did not know where guest data was held. Guest data may be stored centrally or spread across a variety of hotel systems. However, we found out that Data Security or Data Protection Officers do not have a clear vision of who uses guest data, when these are used and in which department they are used. Article 30 of the GDPR clearly states that each hotelier, i.e. the data controller and, where applicable, the controller's representative, shall maintain a record of processing activities under its responsibility. Similarly, each data processor and, where applicable, the processor's representative shall maintain a record of all categories of processing activities carried out on behalf of a controller. In plain English, this means that all suppliers to the hotel which uses the guest’s personal data, from caterers to cleaners, from channel managers to property management system suppliers, from Online Travel Agencies through to Global Distribution Systems, must be reviewed. Hotels, as data controllers, must place more emphasis on re-negotiating data processing agreements as processors seek to ensure that increased costs of GDPR compliance are reflected in the rate of their services. The scope of the controllers’ responsibilities is clear and the risks must be appropriately allocated to the right third-party suppliers. With this challenge in mind, EDC believes this is the ideal time to refresh and re-negotiate contracts between hotels and their suppliers. According to some of our vendor interviews, the suppliers are expected to be a weak link in an otherwise secured environment. More and more hotels are combining the need that their third-party suppliers must be GDPR-ready, as well as PCI DSS compliant.
11 What Is The Greatest Challenge? It was very revealing when the survey respondents were asked where, within the hotel’s operation, the greatest GDPR challenge lies. Half of the survey respondents pointed out that their greatest challenge is the absence of qualified staff. This is probably because there is generally a lack of GDPR experience right across the hotel industry as it is the case in other types of businesses. In hindsight, it was like asking a computer programmer in 1999 what they would expect from a computer system at the change of the millennium. At the time, no one had experienced a change from 1999 to 2000, just as there is no one in business today who has become fully GDPR compliant. As the Regulation has statements such as, ‘ensures an adequate level of protection’ are bound to be open to interpretation. Are we expecting the GDPR to be like the anti-climax of the Y2K problem that computer systems faced in 1990’s? On the contrary, the GDPR involves a large number of people and a wider range of the operational aspects of the hotel business, so there is a real lack of understanding of how far reaching this piece of legislation will have. This was apparent in the survey and in our interviews with suppliers. 33 percent of our survey respondents stated that they did not understand where the GDPR would have an impact, while 35 percent of them indicated they lacked support from their suppliers.
12 Time For Data Mapping It was perhaps not surprising to realise that hoteliers were unsure what items of personal data would be adequate and relevant for their operation. In particular, the GDPR requires ensuring that the period for which the personal data items are stored is limited to a strict minimum. Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means. To ensure that the personal data is not kept longer than necessary, time limits should be established by the hotel for deletion or for a periodic review. Every reasonable step should be taken to certify that personal data items, which are inaccurate, are rectified or deleted. Almost 50 percent of survey respondents affirmed that a minimal viable compliant project will be pursued but it was not the right time to review which personal data items are captured, processed, stored and maintained. When launching the survey, it was obvious that there was no time to streamline or right-size the personal data items that are held by hotels. There was an impression that the main priority was to create a data map of the current situation, as required by Article 30 of the GDPR. Only a third of the survey respondents indicate they would be consolidating and cleaning out the customer database. By December 2017, there is simply not enough time to be clever and redesign any guest databases or related processes. Our survey found that 34 percent who responded stated that there was an opportunity to create new processes which will allow for improved permission-based marketing. This closely relates to the requirements to capture the guest’s consent to the processing of his or her personal data for one or more specific purposes. Marketing and sales promotions in the hotel trade heavily rely on personal data. Therefore, personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including preventing unauthorised access to or use of personal data. A lot of hotels do not know which guests have given their consent to direct marketing and those who have not. The UK pub chain J.D. Wetherspoon deleted its entire email mailing list. This was announced in June 2017 in an email from their chief executive John Hutson. “Many companies use email to promote themselves, but we don't want to take this approach – which many consider intrusive,” Hutson wrote to subscribers. “Our database of customers’ email addresses, including yours, will be deleted”. It is unclear whether this announcement was related to a lack of a return on investment in becoming GDPR compliant, relative to the benefits of holding an email mailing list; especially, where the concept or the manner to obtain customer consent could be vague. Conversely, in March 2017, the airline Flybe was fined £70,000 (around $93,000) by the Information Commissioner’s Office (ICO) after sending more than 3 million emails under the title “Are your details correct?”.
13 While a GDPR implementation project will have an obvious focus on compliance, the survey questioned whether hoteliers were looking to deliver an improved customer experience. Only 16 percent of hoteliers indicated they would look to leverage GDPR, such as data portability, right to be forgotten, subject access rights, as a means of improving the customer experience. There appears to be a lack of vision in the identification of new business opportunities that compliance with GDPR is expected to provide. Trust in personal data is expected to be a service differentiator in the future. Many hotels (and merchants) have already made investments in the design of the customer experience. Now privacy by design will be unequivocally linked.
14 Given the relationship between PCI DSS and GDPR, hotels must develop a detailed description of the processes that follow specific internal risk management policies. In this sense, the GDPR requires all businesses to have a clearly documented data map – detailing the people, processes, platforms and the places where all personal data is located. How Much Will This Cost? Our survey did not specifically inquire about the cost of GDPR implementation but a recent survey by TrustArc did focus on GDPR spending. In their survey, 69 percent of UK respondents expected that their GDPR spending will be at least $100,000. Other results of the TrustArc survey are summarised in this table: During our qualitative interviews, we spoke to data processors, hotel vendors, and a couple of small hotels with 100 to 200 rooms, and one well-known national brand. They estimate a budget of between $500,000 and $1 million in the first year of getting GDRP ready. Larger hotel groups will have a greater budget specifically for GDPR and a sum above $5 million will not be uncommon. One of the interviewees revealed that the GDPR related expenditure on external consultants could reach approximately $3 million in the next three months. None of these conversations indicated that this level of spending would be reduced following the May 2018 deadline, because they felt that GDPR will not fade. Unlike the Y2K problem, it will require continuous investment over the next few years and eventually become an operational expense. Ongoing monitoring, procedures and processes will have to be improved as they deal with the operational challenges of subject access requests, requests to be forgotten, improved management of data subject consent, management of marketing databases, reward programs, gift card and voucher programs, etc. Data breach reporting and management must be established and will have to be tested with all suppliers handling hotel’s consumer data.
15 How Can Edgar, Dunn & Company Help? By working with EDC, there are three steps to follow for getting ready for GDPR, fast-tracking your strategies to ensure GDPR compliance or improving your existing plans: 1. A light-touch health check – we suggest no more than a few days to assess your current roadmap and readiness against the GDPR requirements – essentially, this is a gap-analysis step. In some cases, where there is an on-going in-house GDPR project, it is advisable to gain an outside independent perspective of your plans 2. An in-depth data mapping of the current processes, people, platforms and places – as required by Article 30 in the GDPR – we use a range of sophisticated GDPR-ready documentation tools which best suit your business to perform this step 3. Change management project – creation of new policies, such as Subject Access Request (SARs) policy, retention policy, privacy policy across all customer touch points. This step will include staff awareness and training. We work with lawyers and solution vendors where necessary to conduct this step. Based on our conversations with a range of hotels and their suppliers, the GDPR challenges they are experiencing today are very similar for other travel-related businesses, such as train operators and airlines. The higher the propensity for personal data needed in the booking and servicing of guests and travellers, the greater the need for a clear GDPR strategy and the need to embrace privacy by design. We have found that most hoteliers and merchants that process personal data are focusing their limited resources on the processes to be compliant with GDPR. At this stage, this is appropriate and to be expected. However, at Edgar, Dunn & Company, we believe that the next wave of GDPR frenzy (i.e. post 25 May 2018) will be driven by the need to be more visionary in the identification of new business opportunities that will leverage data portability, access to centralised customer data and the monetisation of data.
16 If you are interested in discussing any of these GDPR or payments-related topics, EDC will be pleased to set up an initial conversation to discuss in further detail the learnings from this study and how you can optimise your GDPR strategy. Contacts Pascal Burg, Head of the Travel Practice e: pascal.burg@edgardunn.com t: +33 1 40 07 92 24 m: +33 6 79 37 55 47 Mark Beresford, Head of the Retailer Payments Practice e: mark.beresford@edgardunn.com t: +44 7283 1114 m: +44 7825 027525 EDC would like to thank all the hotels for their contribution to this GDPR survey, and the many organisations and individuals that provided information and perspectives that collectively form the foundation for this report. The observations and conclusions in this document are entirely those of EDC and are not intended in any way or form to reflect the views or perspectives of any individual or hotel operator. Copyright © 2017 Edgar, Dunn & Company All rights reserved. Reproduction by any method or un-authorised circulation is strictly prohibited, and is a violation of international copyright law.
17 Edgar, Dunn & Company (EDC) is an independent global financial services and payments consultancy. Founded in 1978, the firm is widely regarded as a trusted advisor to its clients, providing a full range of strategy consulting services, expertise and market insight. From offices in Frankfurt, Istanbul, London, Paris, San Francisco, and Sydney, EDC delivers actionable strategies, measurable results and a unique global perspective for clients in more than 45 countries on six continents. For more information contact: Mark Beresford Tel: +44 (0) 7283 1114 Email: mark.beresford@edgardunn.com http://www.edgardunn.com/ Strategy Consultants Specialised in Payments

Recommandé

Pwc gdpr survey 2018
Pwc gdpr survey 2018Pwc gdpr survey 2018
Pwc gdpr survey 2018
Paperjam_redaction
 
GDPR & You, Claus Mortensen, Ecosystm
GDPR & You, Claus Mortensen, EcosystmGDPR & You, Claus Mortensen, Ecosystm
GDPR & You, Claus Mortensen, Ecosystm
Chris White
 
delphix-ebook-using-data-effectively-compliance-banking-1
delphix-ebook-using-data-effectively-compliance-banking-1delphix-ebook-using-data-effectively-compliance-banking-1
delphix-ebook-using-data-effectively-compliance-banking-1
Jes Breslaw
 
Red Flag Rules
Red Flag RulesRed Flag Rules
Red Flag Rules
- Mark - Fullbright
 
GDPR & The Opportunity
GDPR & The OpportunityGDPR & The Opportunity
GDPR & The Opportunity
Sagittarius
 
2016-09-05-Lessons_Learned_From_The_FTC_v1c
2016-09-05-Lessons_Learned_From_The_FTC_v1c2016-09-05-Lessons_Learned_From_The_FTC_v1c
2016-09-05-Lessons_Learned_From_The_FTC_v1c
Raj Goel
 
Talk at IAPP London May 2020: Competition, and why the GDPR is failing
Talk at IAPP London May 2020: Competition, and why the GDPR is failing Talk at IAPP London May 2020: Competition, and why the GDPR is failing
Talk at IAPP London May 2020: Competition, and why the GDPR is failing
Johnny Ryan
 
Travelodge GDPR Case Study
Travelodge GDPR Case StudyTravelodge GDPR Case Study
Travelodge GDPR Case Study
Sagittarius
 

Recommandé

Pwc gdpr survey 2018
Pwc gdpr survey 2018Pwc gdpr survey 2018
Pwc gdpr survey 2018
Paperjam_redaction
 
GDPR & You, Claus Mortensen, Ecosystm
GDPR & You, Claus Mortensen, EcosystmGDPR & You, Claus Mortensen, Ecosystm
GDPR & You, Claus Mortensen, Ecosystm
Chris White
 
delphix-ebook-using-data-effectively-compliance-banking-1
delphix-ebook-using-data-effectively-compliance-banking-1delphix-ebook-using-data-effectively-compliance-banking-1
delphix-ebook-using-data-effectively-compliance-banking-1
Jes Breslaw
 
Red Flag Rules
Red Flag RulesRed Flag Rules
Red Flag Rules
- Mark - Fullbright
 
GDPR & The Opportunity
GDPR & The OpportunityGDPR & The Opportunity
GDPR & The Opportunity
Sagittarius
 
2016-09-05-Lessons_Learned_From_The_FTC_v1c
2016-09-05-Lessons_Learned_From_The_FTC_v1c2016-09-05-Lessons_Learned_From_The_FTC_v1c
2016-09-05-Lessons_Learned_From_The_FTC_v1c
Raj Goel
 
Talk at IAPP London May 2020: Competition, and why the GDPR is failing
Talk at IAPP London May 2020: Competition, and why the GDPR is failing Talk at IAPP London May 2020: Competition, and why the GDPR is failing
Talk at IAPP London May 2020: Competition, and why the GDPR is failing
Johnny Ryan
 
Travelodge GDPR Case Study
Travelodge GDPR Case StudyTravelodge GDPR Case Study
Travelodge GDPR Case Study
Sagittarius
 
Tackling GDPR in Sitecore Versions 8 & 9
Tackling GDPR in Sitecore Versions 8 & 9Tackling GDPR in Sitecore Versions 8 & 9
Tackling GDPR in Sitecore Versions 8 & 9
Sagittarius
 
FCPA Guidance 2020
FCPA Guidance 2020FCPA Guidance 2020
FCPA Guidance 2020
- Mark - Fullbright
 
Tim presentation for B2B E-commerce
Tim presentation for B2B E-commerceTim presentation for B2B E-commerce
Tim presentation for B2B E-commerce
Tim Cheng
 
How will GDPR affect Direct Mail Marketing?
How will GDPR affect Direct Mail Marketing?How will GDPR affect Direct Mail Marketing?
How will GDPR affect Direct Mail Marketing?
Birch Print
 
Brendan Eich's letter to Senator Thune and Senator Nelson, Senate Committee o...
Brendan Eich's letter to Senator Thune and Senator Nelson, Senate Committee o...Brendan Eich's letter to Senator Thune and Senator Nelson, Senate Committee o...
Brendan Eich's letter to Senator Thune and Senator Nelson, Senate Committee o...
Johnny Ryan
 
Draganfly Deck October 2021
Draganfly Deck October 2021Draganfly Deck October 2021
Draganfly Deck October 2021
RedChip Companies, Inc.
 
GDPR: Keep Your Website Out of Legal Trouble
GDPR: Keep Your Website Out of Legal TroubleGDPR: Keep Your Website Out of Legal Trouble
GDPR: Keep Your Website Out of Legal Trouble
Mickey Mellen
 
Cyber Report: A New Year with New Laws
Cyber Report: A New Year with New LawsCyber Report: A New Year with New Laws
Cyber Report: A New Year with New Laws
Internet Law Center
 
Reklaim Deck - September 2021
Reklaim Deck - September 2021Reklaim Deck - September 2021
Reklaim Deck - September 2021
RedChip Companies, Inc.
 
Analytics in Gaming Industry-1.0
Analytics in Gaming Industry-1.0Analytics in Gaming Industry-1.0
Analytics in Gaming Industry-1.0
Singh Pankaj
 
B crisis
B crisisB crisis
B crisis
Jose Patrick
 
GDPR and email marketing: an opportunity for transformation?
GDPR and email marketing: an opportunity for transformation?GDPR and email marketing: an opportunity for transformation?
GDPR and email marketing: an opportunity for transformation?
Claire Braunstein Barnes
 
Public Safety - Policing - Canada - November 2017
Public Safety - Policing - Canada - November 2017Public Safety - Policing - Canada - November 2017
Public Safety - Policing - Canada - November 2017
paul young cpa, cga
 
Preparing for GDPR: A Firefly Guide
Preparing for GDPR: A Firefly GuidePreparing for GDPR: A Firefly Guide
Preparing for GDPR: A Firefly Guide
Firefly Communications
 
GDPR: A Threat or Opportunity? www.normanbroadbent.
GDPR: A Threat or Opportunity? www.normanbroadbent.GDPR: A Threat or Opportunity? www.normanbroadbent.
GDPR: A Threat or Opportunity? www.normanbroadbent.
Steven Salter
 
GDPR, what you need to know and how to prepare for it e book
GDPR, what you need to know and how to prepare for it e bookGDPR, what you need to know and how to prepare for it e book
GDPR, what you need to know and how to prepare for it e book
Plr-Printables
 
Marketing data management | The new way to think about your data
Marketing data management | The new way to think about your dataMarketing data management | The new way to think about your data
Marketing data management | The new way to think about your data
Laurence
 
Running Head THE IMPACT OF GDPR ON GLOBAL IT POLICIES1THE IMPA.docx
Running Head THE IMPACT OF GDPR ON GLOBAL IT POLICIES1THE IMPA.docxRunning Head THE IMPACT OF GDPR ON GLOBAL IT POLICIES1THE IMPA.docx
Running Head THE IMPACT OF GDPR ON GLOBAL IT POLICIES1THE IMPA.docx
jeanettehully
 
GDPR & Data Privacy Guide - Free Download
GDPR & Data Privacy Guide - Free DownloadGDPR & Data Privacy Guide - Free Download
GDPR & Data Privacy Guide - Free Download
Visitor Analytics
 
GDPR Explained in Simple Terms for Hospitality Owners
GDPR Explained in Simple Terms for Hospitality OwnersGDPR Explained in Simple Terms for Hospitality Owners
GDPR Explained in Simple Terms for Hospitality Owners
Boostly
 
Do You Have a Roadmap for EU GDPR Compliance?
Do You Have a Roadmap for EU GDPR Compliance?Do You Have a Roadmap for EU GDPR Compliance?
Do You Have a Roadmap for EU GDPR Compliance?
Ulf Mattsson
 
Do You Have a Roadmap for EU GDPR Compliance?
Do You Have a Roadmap for EU GDPR Compliance?Do You Have a Roadmap for EU GDPR Compliance?
Do You Have a Roadmap for EU GDPR Compliance?
Ulf Mattsson
 

Contenu connexe

Tendances

Draganfly Deck October 2021
Draganfly Deck October 2021Draganfly Deck October 2021
Draganfly Deck October 2021
RedChip Companies, Inc.
 
Analytics in Gaming Industry-1.0
Analytics in Gaming Industry-1.0Analytics in Gaming Industry-1.0
Analytics in Gaming Industry-1.0
Singh Pankaj
 
GDPR and email marketing: an opportunity for transformation?
GDPR and email marketing: an opportunity for transformation?GDPR and email marketing: an opportunity for transformation?
GDPR and email marketing: an opportunity for transformation?
Claire Braunstein Barnes
 

Tendances (14)

Tackling GDPR in Sitecore Versions 8 & 9
Tackling GDPR in Sitecore Versions 8 & 9Tackling GDPR in Sitecore Versions 8 & 9
Tackling GDPR in Sitecore Versions 8 & 9
 
FCPA Guidance 2020
FCPA Guidance 2020FCPA Guidance 2020
FCPA Guidance 2020
 
Tim presentation for B2B E-commerce
Tim presentation for B2B E-commerceTim presentation for B2B E-commerce
Tim presentation for B2B E-commerce
 
How will GDPR affect Direct Mail Marketing?
How will GDPR affect Direct Mail Marketing?How will GDPR affect Direct Mail Marketing?
How will GDPR affect Direct Mail Marketing?
 
Brendan Eich's letter to Senator Thune and Senator Nelson, Senate Committee o...
Brendan Eich's letter to Senator Thune and Senator Nelson, Senate Committee o...Brendan Eich's letter to Senator Thune and Senator Nelson, Senate Committee o...
Brendan Eich's letter to Senator Thune and Senator Nelson, Senate Committee o...
 
Draganfly Deck October 2021
Draganfly Deck October 2021Draganfly Deck October 2021
Draganfly Deck October 2021
 
GDPR: Keep Your Website Out of Legal Trouble
GDPR: Keep Your Website Out of Legal TroubleGDPR: Keep Your Website Out of Legal Trouble
GDPR: Keep Your Website Out of Legal Trouble
 
Cyber Report: A New Year with New Laws
Cyber Report: A New Year with New LawsCyber Report: A New Year with New Laws
Cyber Report: A New Year with New Laws
 
Reklaim Deck - September 2021
Reklaim Deck - September 2021Reklaim Deck - September 2021
Reklaim Deck - September 2021
 
Analytics in Gaming Industry-1.0
Analytics in Gaming Industry-1.0Analytics in Gaming Industry-1.0
Analytics in Gaming Industry-1.0
 
B crisis
B crisisB crisis
B crisis
 
GDPR and email marketing: an opportunity for transformation?
GDPR and email marketing: an opportunity for transformation?GDPR and email marketing: an opportunity for transformation?
GDPR and email marketing: an opportunity for transformation?
 
Public Safety - Policing - Canada - November 2017
Public Safety - Policing - Canada - November 2017Public Safety - Policing - Canada - November 2017
Public Safety - Policing - Canada - November 2017
 
Preparing for GDPR: A Firefly Guide
Preparing for GDPR: A Firefly GuidePreparing for GDPR: A Firefly Guide
Preparing for GDPR: A Firefly Guide
 

Similaire à Gdpr 2017 Hotel survey results 7 dec 2017

Running Head THE IMPACT OF GDPR ON GLOBAL IT POLICIES1THE IMPA.docx
Running Head THE IMPACT OF GDPR ON GLOBAL IT POLICIES1THE IMPA.docxRunning Head THE IMPACT OF GDPR ON GLOBAL IT POLICIES1THE IMPA.docx
Running Head THE IMPACT OF GDPR ON GLOBAL IT POLICIES1THE IMPA.docx
jeanettehully
 
GDPR & Data Privacy Guide - Free Download
GDPR & Data Privacy Guide - Free DownloadGDPR & Data Privacy Guide - Free Download
GDPR & Data Privacy Guide - Free Download
Visitor Analytics
 
Running head THE IMPACT OF GDPR IN IT POLICY1THE IMPACT OF GDP
Running head THE IMPACT OF GDPR IN IT POLICY1THE IMPACT OF GDPRunning head THE IMPACT OF GDPR IN IT POLICY1THE IMPACT OF GDP
Running head THE IMPACT OF GDPR IN IT POLICY1THE IMPACT OF GDP
MalikPinckney86
 
Running head THE IMPACT OF GDPR IN IT POLICY1THE IMPACT OF GDP.docx
Running head THE IMPACT OF GDPR IN IT POLICY1THE IMPACT OF GDP.docxRunning head THE IMPACT OF GDPR IN IT POLICY1THE IMPACT OF GDP.docx
Running head THE IMPACT OF GDPR IN IT POLICY1THE IMPACT OF GDP.docx
gemaherd
 
Running head THE IMPACT OF GDPR IN IT POLICY1THE IMPACT OF GDP.docx
Running head THE IMPACT OF GDPR IN IT POLICY1THE IMPACT OF GDP.docxRunning head THE IMPACT OF GDPR IN IT POLICY1THE IMPACT OF GDP.docx
Running head THE IMPACT OF GDPR IN IT POLICY1THE IMPACT OF GDP.docx
jeanettehully
 

Similaire à Gdpr 2017 Hotel survey results 7 dec 2017 (20)

GDPR: A Threat or Opportunity? www.normanbroadbent.
GDPR: A Threat or Opportunity? www.normanbroadbent.GDPR: A Threat or Opportunity? www.normanbroadbent.
GDPR: A Threat or Opportunity? www.normanbroadbent.
 
GDPR, what you need to know and how to prepare for it e book
GDPR, what you need to know and how to prepare for it e bookGDPR, what you need to know and how to prepare for it e book
GDPR, what you need to know and how to prepare for it e book
 
Marketing data management | The new way to think about your data
Marketing data management | The new way to think about your dataMarketing data management | The new way to think about your data
Marketing data management | The new way to think about your data
 
Running Head THE IMPACT OF GDPR ON GLOBAL IT POLICIES1THE IMPA.docx
Running Head THE IMPACT OF GDPR ON GLOBAL IT POLICIES1THE IMPA.docxRunning Head THE IMPACT OF GDPR ON GLOBAL IT POLICIES1THE IMPA.docx
Running Head THE IMPACT OF GDPR ON GLOBAL IT POLICIES1THE IMPA.docx
 
GDPR & Data Privacy Guide - Free Download
GDPR & Data Privacy Guide - Free DownloadGDPR & Data Privacy Guide - Free Download
GDPR & Data Privacy Guide - Free Download
 
GDPR Explained in Simple Terms for Hospitality Owners
GDPR Explained in Simple Terms for Hospitality OwnersGDPR Explained in Simple Terms for Hospitality Owners
GDPR Explained in Simple Terms for Hospitality Owners
 
Do You Have a Roadmap for EU GDPR Compliance?
Do You Have a Roadmap for EU GDPR Compliance?Do You Have a Roadmap for EU GDPR Compliance?
Do You Have a Roadmap for EU GDPR Compliance?
 
Do You Have a Roadmap for EU GDPR Compliance?
Do You Have a Roadmap for EU GDPR Compliance?Do You Have a Roadmap for EU GDPR Compliance?
Do You Have a Roadmap for EU GDPR Compliance?
 
"If we're leaving the EU, does GDPR even matter?" And other FAQs
"If we're leaving the EU, does GDPR even matter?" And other FAQs"If we're leaving the EU, does GDPR even matter?" And other FAQs
"If we're leaving the EU, does GDPR even matter?" And other FAQs
 
GDPR - Key Insights for the Travel Industry
GDPR - Key Insights for the Travel IndustryGDPR - Key Insights for the Travel Industry
GDPR - Key Insights for the Travel Industry
 
DATA SAFEGUARD INC.- WHITE PAPER
DATA SAFEGUARD INC.- WHITE PAPERDATA SAFEGUARD INC.- WHITE PAPER
DATA SAFEGUARD INC.- WHITE PAPER
 
The Essential Guide to GDPR
The Essential Guide to GDPRThe Essential Guide to GDPR
The Essential Guide to GDPR
 
The Essential Guide to GDPR
The Essential Guide to GDPRThe Essential Guide to GDPR
The Essential Guide to GDPR
 
IDC on 10 myths regarding GDPR
IDC on 10 myths regarding GDPRIDC on 10 myths regarding GDPR
IDC on 10 myths regarding GDPR
 
Operational impact of gdpr finance industries in the caribbean
Operational impact of gdpr finance industries in the caribbeanOperational impact of gdpr finance industries in the caribbean
Operational impact of gdpr finance industries in the caribbean
 
Running head THE IMPACT OF GDPR IN IT POLICY1THE IMPACT OF GDP
Running head THE IMPACT OF GDPR IN IT POLICY1THE IMPACT OF GDPRunning head THE IMPACT OF GDPR IN IT POLICY1THE IMPACT OF GDP
Running head THE IMPACT OF GDPR IN IT POLICY1THE IMPACT OF GDP
 
Running head THE IMPACT OF GDPR IN IT POLICY1THE IMPACT OF GDP.docx
Running head THE IMPACT OF GDPR IN IT POLICY1THE IMPACT OF GDP.docxRunning head THE IMPACT OF GDPR IN IT POLICY1THE IMPACT OF GDP.docx
Running head THE IMPACT OF GDPR IN IT POLICY1THE IMPACT OF GDP.docx
 
Running head THE IMPACT OF GDPR IN IT POLICY1THE IMPACT OF GDP.docx
Running head THE IMPACT OF GDPR IN IT POLICY1THE IMPACT OF GDP.docxRunning head THE IMPACT OF GDPR IN IT POLICY1THE IMPACT OF GDP.docx
Running head THE IMPACT OF GDPR IN IT POLICY1THE IMPACT OF GDP.docx
 
Annual-Report-on-Privacy-Fines-2022.pdf
Annual-Report-on-Privacy-Fines-2022.pdfAnnual-Report-on-Privacy-Fines-2022.pdf
Annual-Report-on-Privacy-Fines-2022.pdf
 
Cognizant business consulting the impacts of gdpr
Cognizant business consulting the impacts of gdprCognizant business consulting the impacts of gdpr
Cognizant business consulting the impacts of gdpr
 

Dernier

Top places to visit, top tourist destinations
Top places to visit, top tourist destinationsTop places to visit, top tourist destinations
Top places to visit, top tourist destinations
swarajdm34
 
CYTOTEC DUBAI ☎️ +966572737505 } Abortion pills in Abu dhabi,get misoprostal ...
CYTOTEC DUBAI ☎️ +966572737505 } Abortion pills in Abu dhabi,get misoprostal ...CYTOTEC DUBAI ☎️ +966572737505 } Abortion pills in Abu dhabi,get misoprostal ...
CYTOTEC DUBAI ☎️ +966572737505 } Abortion pills in Abu dhabi,get misoprostal ...
Abortion pills in Riyadh +966572737505 get cytotec
 
❤Personal Contact Number Mcleodganj Call Girls 8617697112💦✅.
❤Personal Contact Number Mcleodganj Call Girls 8617697112💦✅.❤Personal Contact Number Mcleodganj Call Girls 8617697112💦✅.
❤Personal Contact Number Mcleodganj Call Girls 8617697112💦✅.
Nitya salvi
 
❤Personal Contact Number Varanasi Call Girls 8617697112💦✅.
❤Personal Contact Number Varanasi Call Girls 8617697112💦✅.❤Personal Contact Number Varanasi Call Girls 8617697112💦✅.
❤Personal Contact Number Varanasi Call Girls 8617697112💦✅.
Nitya salvi
 
2k Shots ≽ 9205541914 ≼ Call Girls In Tagore Garden (Delhi)
2k Shots ≽ 9205541914 ≼ Call Girls In Tagore Garden (Delhi)2k Shots ≽ 9205541914 ≼ Call Girls In Tagore Garden (Delhi)
2k Shots ≽ 9205541914 ≼ Call Girls In Tagore Garden (Delhi)
Delhi Call girls
 
Kolkata Call Girls - 📞 8617697112 🔝 Top Class Call Girls Service Available
Kolkata Call Girls - 📞 8617697112 🔝 Top Class Call Girls Service AvailableKolkata Call Girls - 📞 8617697112 🔝 Top Class Call Girls Service Available
Kolkata Call Girls - 📞 8617697112 🔝 Top Class Call Girls Service Available
Nitya salvi
 
Hire 💕 8617697112 Chamba Call Girls Service Call Girls Agency
Hire 💕 8617697112 Chamba Call Girls Service Call Girls AgencyHire 💕 8617697112 Chamba Call Girls Service Call Girls Agency
Hire 💕 8617697112 Chamba Call Girls Service Call Girls Agency
Nitya salvi
 
Night 7k to 12k Daman Call Girls 👉👉 8617697112⭐⭐ 100% Genuine Escort Service ...
Night 7k to 12k Daman Call Girls 👉👉 8617697112⭐⭐ 100% Genuine Escort Service ...Night 7k to 12k Daman Call Girls 👉👉 8617697112⭐⭐ 100% Genuine Escort Service ...
Night 7k to 12k Daman Call Girls 👉👉 8617697112⭐⭐ 100% Genuine Escort Service ...
Nitya salvi
 
🔥HOT🔥📲9602870969🔥Prostitute Service in Udaipur Call Girls in City Palace Lake...
🔥HOT🔥📲9602870969🔥Prostitute Service in Udaipur Call Girls in City Palace Lake...🔥HOT🔥📲9602870969🔥Prostitute Service in Udaipur Call Girls in City Palace Lake...
🔥HOT🔥📲9602870969🔥Prostitute Service in Udaipur Call Girls in City Palace Lake...
Apsara Of India
 
Discover Mathura And Vrindavan A Spritual Journey.pdf
Discover Mathura And Vrindavan A Spritual Journey.pdfDiscover Mathura And Vrindavan A Spritual Journey.pdf
Discover Mathura And Vrindavan A Spritual Journey.pdf
Mathura Vrindavan Tour Packages
 
Visa Consultant in Lahore || 📞03094429236
Visa Consultant in Lahore || 📞03094429236Visa Consultant in Lahore || 📞03094429236
Visa Consultant in Lahore || 📞03094429236
Sherazi Tours
 
Hire 💕 8617697112 Reckong Peo Call Girls Service Call Girls Agency
Hire 💕 8617697112 Reckong Peo Call Girls Service Call Girls AgencyHire 💕 8617697112 Reckong Peo Call Girls Service Call Girls Agency
Hire 💕 8617697112 Reckong Peo Call Girls Service Call Girls Agency
Nitya salvi
 
Hire 💕 8617697112 Surat Call Girls Service Call Girls Agency
Hire 💕 8617697112 Surat Call Girls Service Call Girls AgencyHire 💕 8617697112 Surat Call Girls Service Call Girls Agency
Hire 💕 8617697112 Surat Call Girls Service Call Girls Agency
Nitya salvi
 

Dernier (20)

Mathura Call Girls 8250077686 Service Offer VIP Hot Model
Mathura Call Girls 8250077686 Service Offer VIP Hot ModelMathura Call Girls 8250077686 Service Offer VIP Hot Model
Mathura Call Girls 8250077686 Service Offer VIP Hot Model
 
Top places to visit, top tourist destinations
Top places to visit, top tourist destinationsTop places to visit, top tourist destinations
Top places to visit, top tourist destinations
 
Varanasi Call Girls 8250077686 Service Offer VIP Hot Model
Varanasi Call Girls 8250077686 Service Offer VIP Hot ModelVaranasi Call Girls 8250077686 Service Offer VIP Hot Model
Varanasi Call Girls 8250077686 Service Offer VIP Hot Model
 
CYTOTEC DUBAI ☎️ +966572737505 } Abortion pills in Abu dhabi,get misoprostal ...
CYTOTEC DUBAI ☎️ +966572737505 } Abortion pills in Abu dhabi,get misoprostal ...CYTOTEC DUBAI ☎️ +966572737505 } Abortion pills in Abu dhabi,get misoprostal ...
CYTOTEC DUBAI ☎️ +966572737505 } Abortion pills in Abu dhabi,get misoprostal ...
 
❤Personal Contact Number Mcleodganj Call Girls 8617697112💦✅.
❤Personal Contact Number Mcleodganj Call Girls 8617697112💦✅.❤Personal Contact Number Mcleodganj Call Girls 8617697112💦✅.
❤Personal Contact Number Mcleodganj Call Girls 8617697112💦✅.
 
❤Personal Contact Number Varanasi Call Girls 8617697112💦✅.
❤Personal Contact Number Varanasi Call Girls 8617697112💦✅.❤Personal Contact Number Varanasi Call Girls 8617697112💦✅.
❤Personal Contact Number Varanasi Call Girls 8617697112💦✅.
 
2k Shots ≽ 9205541914 ≼ Call Girls In Tagore Garden (Delhi)
2k Shots ≽ 9205541914 ≼ Call Girls In Tagore Garden (Delhi)2k Shots ≽ 9205541914 ≼ Call Girls In Tagore Garden (Delhi)
2k Shots ≽ 9205541914 ≼ Call Girls In Tagore Garden (Delhi)
 
Kolkata Call Girls - 📞 8617697112 🔝 Top Class Call Girls Service Available
Kolkata Call Girls - 📞 8617697112 🔝 Top Class Call Girls Service AvailableKolkata Call Girls - 📞 8617697112 🔝 Top Class Call Girls Service Available
Kolkata Call Girls - 📞 8617697112 🔝 Top Class Call Girls Service Available
 
Hire 💕 8617697112 Chamba Call Girls Service Call Girls Agency
Hire 💕 8617697112 Chamba Call Girls Service Call Girls AgencyHire 💕 8617697112 Chamba Call Girls Service Call Girls Agency
Hire 💕 8617697112 Chamba Call Girls Service Call Girls Agency
 
Night 7k to 12k Daman Call Girls 👉👉 8617697112⭐⭐ 100% Genuine Escort Service ...
Night 7k to 12k Daman Call Girls 👉👉 8617697112⭐⭐ 100% Genuine Escort Service ...Night 7k to 12k Daman Call Girls 👉👉 8617697112⭐⭐ 100% Genuine Escort Service ...
Night 7k to 12k Daman Call Girls 👉👉 8617697112⭐⭐ 100% Genuine Escort Service ...
 
🔥HOT🔥📲9602870969🔥Prostitute Service in Udaipur Call Girls in City Palace Lake...
🔥HOT🔥📲9602870969🔥Prostitute Service in Udaipur Call Girls in City Palace Lake...🔥HOT🔥📲9602870969🔥Prostitute Service in Udaipur Call Girls in City Palace Lake...
🔥HOT🔥📲9602870969🔥Prostitute Service in Udaipur Call Girls in City Palace Lake...
 
Discover Mathura And Vrindavan A Spritual Journey.pdf
Discover Mathura And Vrindavan A Spritual Journey.pdfDiscover Mathura And Vrindavan A Spritual Journey.pdf
Discover Mathura And Vrindavan A Spritual Journey.pdf
 
Ooty Call Girls 8250077686 Service Offer VIP Hot Model
Ooty Call Girls 8250077686 Service Offer VIP Hot ModelOoty Call Girls 8250077686 Service Offer VIP Hot Model
Ooty Call Girls 8250077686 Service Offer VIP Hot Model
 
Darjeeling Call Girls 8250077686 Service Offer VIP Hot Model
Darjeeling Call Girls 8250077686 Service Offer VIP Hot ModelDarjeeling Call Girls 8250077686 Service Offer VIP Hot Model
Darjeeling Call Girls 8250077686 Service Offer VIP Hot Model
 
Genuine 8250077686 Hot and Beautiful 💕 Chennai Escorts call Girls
Genuine 8250077686 Hot and Beautiful 💕 Chennai Escorts call GirlsGenuine 8250077686 Hot and Beautiful 💕 Chennai Escorts call Girls
Genuine 8250077686 Hot and Beautiful 💕 Chennai Escorts call Girls
 
Visa Consultant in Lahore || 📞03094429236
Visa Consultant in Lahore || 📞03094429236Visa Consultant in Lahore || 📞03094429236
Visa Consultant in Lahore || 📞03094429236
 
Papi kondalu Call Girls 8250077686 Service Offer VIP Hot Model
Papi kondalu Call Girls 8250077686 Service Offer VIP Hot ModelPapi kondalu Call Girls 8250077686 Service Offer VIP Hot Model
Papi kondalu Call Girls 8250077686 Service Offer VIP Hot Model
 
Hire 💕 8617697112 Reckong Peo Call Girls Service Call Girls Agency
Hire 💕 8617697112 Reckong Peo Call Girls Service Call Girls AgencyHire 💕 8617697112 Reckong Peo Call Girls Service Call Girls Agency
Hire 💕 8617697112 Reckong Peo Call Girls Service Call Girls Agency
 
Hire 💕 8617697112 Surat Call Girls Service Call Girls Agency
Hire 💕 8617697112 Surat Call Girls Service Call Girls AgencyHire 💕 8617697112 Surat Call Girls Service Call Girls Agency
Hire 💕 8617697112 Surat Call Girls Service Call Girls Agency
 
Genesis 1:6 || Meditate the Scripture daily verse by verse
Genesis 1:6 || Meditate the Scripture daily verse by verseGenesis 1:6 || Meditate the Scripture daily verse by verse
Genesis 1:6 || Meditate the Scripture daily verse by verse
 

Gdpr 2017 Hotel survey results 7 dec 2017

  • 2. 2 Contents Introduction………………………………………………………………………... 3 Are Hoteliers Ready For GDPR?.............................…………………………………4 Survey Methodology………………………………………………………………. 5 Controller Or Processor? …………..……………………………………………… 6 Not Enough Awareness And Not Enough Action ………………………………... 7 Hotels Are More Vulnerable To Data Breaches …………………………………...9 Hotel Data Or Processor Data……………………………………………………...10 What Is The Greatest Challenge?………………………………………………….. 11 Time For Data Mapping…………………………………………………………….12 How Much Will This Cost?..……………………………………………………….. 14 How Can Edgar, Dunn & Company Help?……………………………………….… 15
  • 3. 3 Introduction The General Data Protection Regulation (GDPR), considered to be the biggest shake up of data protection laws for 20 years, will come into force in the European Union (EU) Member States on 25 May 2018. Edgar, Dunn & Company (EDC) has just completed a survey of 300 hoteliers around the UK to gain a better understanding of the current status of their GDPR plans. The results show that 57 percent of them have not started the process of GDPR implementation yet. Only a third of the surveyed respondents are planning to consolidate and clean out their customer databases. There are just six months to become GDPR compliant and if you want to learn more about the implications of this upcoming regulation for hotels worldwide.
  • 4. 4 Are Hoteliers Ready For GDPR? Within Edgar, Dunn & Company (EDC), the Travel Practice team provides advice on various topics to players in the travel space, including hoteliers. As we move towards the deadline, EDC has been keen to understand the implications of the General Data Protection Regulation (GDPR) for hotels. Considering that GDPR is the biggest shake up of data protection laws for 20 years, EDC wanted to conduct a survey of hoteliers to uncover answers to the following question - are hoteliers ready for GDPR compliance? Our original working hypothesis can be summarised into three key areas: 1. For medium and large hotels, the GDPR will have a significant impact on their business operations, but they are not likely to be GDPR compliant in time, by May 2018 2. There would be a close correlation between how payments are processed within a hotel, from booking through to check-out, and the collection, storage and processing of personal consumer data (as defined by the GDPR) 3. The GDPR challenges faced by hotels will be similar for other travel-related businesses, such as train operators, and airlines The new GDPR will strengthen and harmonise data protection laws across Europe from 25 May 2018. As the GDPR will replace the current Directive and take the form of a Regulation, this means it will be enforceable by law immediately in all Member States, without the need to transpose it into national laws. The UK Government has confirmed that its decision to leave the EU will not affect the commencement of the GDPR. The GDPR will have a huge impact on the protection of data, data privacy and the rights of data subjects (people who reside in the European Union). This is not just about EU citizens, it is about everyone who resides in the EU. According to Eurostat, there are an estimated 510 million citizens living in the EU and 2.4 million of them are from non-member EU countries. The United Nations World Tourism Organisation (UNWTO) recently published ‘Tourism Highlights’ report, which stated that the EU is a major tourist destination, with four of its Member States among the world’s top 10 destinations in 2016. According to the UNWTO, there are around 124 million people traveling to the EU from non-EU countries every year, who will stay overnight in a hotel and, therefore, they will fall within the GDPR remit. Furthermore, GDPR applies to stored EU citizens’ data, independently of where guests stay around the world. Based on Eurostat, there are 71 million EU citizens travelling to non-EU countries per year. Essentially, the GDPR will impact all businesses in the hospitality sector worldwide. The results of our survey highlight that most medium and large hotel brands operate with a highly fragmented or a poorly defined data management system. We could therefore expect that many hotels will not be compliant when the GDPR requirements take effect. Aligning data processing policies and procedures with the GDPR requirements will take most organizations longer than they anticipated.
  • 5. 5 Eria nimoditatia voluptatas aut la nimint molore velenda debissitio. Survey Methodology EDC approached more than 300 UK-based hotels to conduct this survey. They varied in size, some small (less than 100 rooms), some medium (101 to 199 rooms) and some belonging to large international hotel chains, with more than 200 rooms. We asked them to complete an online GDPR survey which was open between September and November 2017. The findings described in this article provide a representative sample of the opinion of experts and vendors from the hotel industry across the UK. We believe the UK hotels are representative of other European hotels but outside Europe, GDPR awareness amongst hoteliers is alarmingly limited. The objective of conducting this survey was to gain a better understanding of the needs of hotels in terms of data security, their knowledge of the implications of the GDPR and the potential changes that could affect the way hotels operate. Additionally, several qualitative telephone interviews were performed on both sides of the Atlantic with leading hotel vendors, such as Property Management System (PMS) providers, channel managers, etc. to obtain an in- depth analysis of the current situation. These interviews were helpful for exploring what hotels are currently thinking about their GDPR plans and their expectations as to when they will become GDPR ready.
  • 6. 6 Controller Or Processor? One fundamental aspect of the new regulation is that the basic concept of a data ‘controller’ and ‘processor’ remain essentially unchanged under the GDPR. However, their respective obligations are significantly amended. Just to be clear, a ‘controller’ means the natural or legal person, or agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. For our survey, the data controller is the hotel. The ‘data subject’ is the guest who stays at the hotel. On the other hand, a ‘processor’ means a natural or legal person, agency or any other body which processes personal data on behalf of the controller. Basically, all the software vendors, IT platform suppliers, loyalty program member and service providers that may be handling the guest’s personal data on behalf of the hotel are categorised as data processors. Interestingly, our telephone interviews with data processors implied that they were not responsible for GDPR compliance and responsibility was solely with the data controllers. (This is not entirely true). Nonetheless, further questioning found that the majority of vendors did not know when they would become GDPR compliant. There appears to be some confusion in this area and we would expect numerous cases of finger-pointing after 25 May 2018; cases where data controllers will declare that GDPR compliance is partially the responsibility of the processor, whereas data processors will claim something else. Through conversations with non-EU players, it appeared that some vendors from North America seem to be entirely unaware of the GDPR or the need to comply.
  • 7. 7 Not Enough Awareness And Not Enough Action A significant finding from our hotel survey was that 57 percent of the respondents admitted that they have not started the process of GDPR implementation. This took us by surprise, considering that at the time of closing the survey, there were only 6 months left until May 2018. In order to validate our findings, we explored whether there were any other surveys conducted on the topic within the hotel industry. Unfortunately, there were no comparable hotel surveys available in the public domain. However, at a similar time, a survey conducted by the International Association of Privacy Professionals (IAPP), in coordination with TRUSTe, found slightly more advanced preparations. The IAPP survey, which nonetheless did not focus on the hotel industry, stated that 67 percent of EU companies reported to have begun a GDPR implementation. This is a stark contrast with our findings, which may derive from the fact that the IAPP surveyed all types of companies, without focusing solely on hotels. Our concern is that the hotels appear to be spending a considerable amount of time understanding the legislation and making plans to be GDPR-ready instead of setting up an ongoing GDRP implementation strategy. During some of our qualitative interviews with a larger hotel group, with over 2,500 rooms, we found out that they were further along with their GDPR implementation plans. However, our findings also revealed that, amongst medium and smaller hotels (with less than 2,500 rooms), there is a huge lack of GDPR planning or implementation.
  • 8. 8 When required to select the closest description of their GDPR plans, 39 percent of our survey respondents pointed out they had not started the implementation phase, but they were working on their GDPR plan. Meanwhile, 18 percent of them indicated that they have a plan in place, but have not started working on the implementation aspect. Only 23 percent of hotels surveyed revealed to have a GDPR implementation plan internally. A standard dataset within a hotel database typically includes the following items, e.g. guest names, addresses, date of birth, credit card details, the guest’s passport details, as well as aspects related to preferred dietary requirements, etc. This information is normally held for all guests, whether they are staying for leisure or business. This is therefore considered as sensitive data that could be used to carry out identity or credit card fraud. Hence, it is clear there is a close correspondence between Payment Card Industry Data Security Standard (PCI DSS) and the GDPR. We like to think that PCI DSS is the technical part of managing data security, whereas the GDPR is the people’s side managing data security. Given the relationship between PCI DSS and GDPR, hotels must develop a detailed description of the processes that follow specific internal risk management policies. In this sense, the GDPR requires all businesses to have a clearly documented data map – detailing the people, processes, platforms and the places where all personal data is located.
  • 9. 9 Hotels Are More Vulnerable To Data Breaches In the survey, we were interested in understanding whether the hotel industry is more vulnerable to data breach than any other sector, such as general retailing. Faced with the question, 67 percent of respondents responded that was the case. This figure may be slightly over magnified as our survey was live during a time where it was widely reported that Hyatt Hotels had discovered unauthorized access to payment card information. This happened at certain Hyatt-managed locations worldwide between March and July 2017. Hyatt confirmed the incident included payment card data, such as cardholder name, card number, expiration date and the verification code, originating from cards manually entered or swiped at the hotels’ front desk. Although none of the locations where data breach occurred was in the EU, there is a high probability that the data would have belonged to EU data subjects. Under the GDPR, a data breach will now mean that the data controller, in this case, Hyatt Hotels, will be required to notify the European Regulator within 72 hours of a breach where this is likely to result in a risk to the rights and freedoms of EU data subjects. Other hotel brands have recently had similar data breaches - Hilton Hotels and Trump Hotels are two other examples. Whilst incidents involving large hotel groups are most likely to reach the press, data breaches can happen in any hotel, regardless of its size. According to Verizon’s 2016 Data Breach Investigations Report, the hotel industry accounts for one of the highest numbers of breaches in any sector and has the highest volume, when it comes to lost cards following an incident. Verizon reports that this is ‘unsurprising, as they process information which is highly desirable to financially motivated criminals’. This concurs with our survey findings.
  • 10. 10 Hotel Data Or Processor Data Guest data is handled in silos according to 40 percent of the survey respondents. On the other hand, 40 percent of them indicated there was a single customer relationship management database, whereas, 20 percent of the respondents surveyed did not know where guest data was held. Guest data may be stored centrally or spread across a variety of hotel systems. However, we found out that Data Security or Data Protection Officers do not have a clear vision of who uses guest data, when these are used and in which department they are used. Article 30 of the GDPR clearly states that each hotelier, i.e. the data controller and, where applicable, the controller's representative, shall maintain a record of processing activities under its responsibility. Similarly, each data processor and, where applicable, the processor's representative shall maintain a record of all categories of processing activities carried out on behalf of a controller. In plain English, this means that all suppliers to the hotel which uses the guest’s personal data, from caterers to cleaners, from channel managers to property management system suppliers, from Online Travel Agencies through to Global Distribution Systems, must be reviewed. Hotels, as data controllers, must place more emphasis on re-negotiating data processing agreements as processors seek to ensure that increased costs of GDPR compliance are reflected in the rate of their services. The scope of the controllers’ responsibilities is clear and the risks must be appropriately allocated to the right third-party suppliers. With this challenge in mind, EDC believes this is the ideal time to refresh and re-negotiate contracts between hotels and their suppliers. According to some of our vendor interviews, the suppliers are expected to be a weak link in an otherwise secured environment. More and more hotels are combining the need that their third-party suppliers must be GDPR-ready, as well as PCI DSS compliant.
  • 11. 11 What Is The Greatest Challenge? It was very revealing when the survey respondents were asked where, within the hotel’s operation, the greatest GDPR challenge lies. Half of the survey respondents pointed out that their greatest challenge is the absence of qualified staff. This is probably because there is generally a lack of GDPR experience right across the hotel industry as it is the case in other types of businesses. In hindsight, it was like asking a computer programmer in 1999 what they would expect from a computer system at the change of the millennium. At the time, no one had experienced a change from 1999 to 2000, just as there is no one in business today who has become fully GDPR compliant. As the Regulation has statements such as, ‘ensures an adequate level of protection’ are bound to be open to interpretation. Are we expecting the GDPR to be like the anti-climax of the Y2K problem that computer systems faced in 1990’s? On the contrary, the GDPR involves a large number of people and a wider range of the operational aspects of the hotel business, so there is a real lack of understanding of how far reaching this piece of legislation will have. This was apparent in the survey and in our interviews with suppliers. 33 percent of our survey respondents stated that they did not understand where the GDPR would have an impact, while 35 percent of them indicated they lacked support from their suppliers.
  • 12. 12 Time For Data Mapping It was perhaps not surprising to realise that hoteliers were unsure what items of personal data would be adequate and relevant for their operation. In particular, the GDPR requires ensuring that the period for which the personal data items are stored is limited to a strict minimum. Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means. To ensure that the personal data is not kept longer than necessary, time limits should be established by the hotel for deletion or for a periodic review. Every reasonable step should be taken to certify that personal data items, which are inaccurate, are rectified or deleted. Almost 50 percent of survey respondents affirmed that a minimal viable compliant project will be pursued but it was not the right time to review which personal data items are captured, processed, stored and maintained. When launching the survey, it was obvious that there was no time to streamline or right-size the personal data items that are held by hotels. There was an impression that the main priority was to create a data map of the current situation, as required by Article 30 of the GDPR. Only a third of the survey respondents indicate they would be consolidating and cleaning out the customer database. By December 2017, there is simply not enough time to be clever and redesign any guest databases or related processes. Our survey found that 34 percent who responded stated that there was an opportunity to create new processes which will allow for improved permission-based marketing. This closely relates to the requirements to capture the guest’s consent to the processing of his or her personal data for one or more specific purposes. Marketing and sales promotions in the hotel trade heavily rely on personal data. Therefore, personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including preventing unauthorised access to or use of personal data. A lot of hotels do not know which guests have given their consent to direct marketing and those who have not. The UK pub chain J.D. Wetherspoon deleted its entire email mailing list. This was announced in June 2017 in an email from their chief executive John Hutson. “Many companies use email to promote themselves, but we don't want to take this approach – which many consider intrusive,” Hutson wrote to subscribers. “Our database of customers’ email addresses, including yours, will be deleted”. It is unclear whether this announcement was related to a lack of a return on investment in becoming GDPR compliant, relative to the benefits of holding an email mailing list; especially, where the concept or the manner to obtain customer consent could be vague. Conversely, in March 2017, the airline Flybe was fined £70,000 (around $93,000) by the Information Commissioner’s Office (ICO) after sending more than 3 million emails under the title “Are your details correct?”.
  • 13. 13 While a GDPR implementation project will have an obvious focus on compliance, the survey questioned whether hoteliers were looking to deliver an improved customer experience. Only 16 percent of hoteliers indicated they would look to leverage GDPR, such as data portability, right to be forgotten, subject access rights, as a means of improving the customer experience. There appears to be a lack of vision in the identification of new business opportunities that compliance with GDPR is expected to provide. Trust in personal data is expected to be a service differentiator in the future. Many hotels (and merchants) have already made investments in the design of the customer experience. Now privacy by design will be unequivocally linked.
  • 14. 14 Given the relationship between PCI DSS and GDPR, hotels must develop a detailed description of the processes that follow specific internal risk management policies. In this sense, the GDPR requires all businesses to have a clearly documented data map – detailing the people, processes, platforms and the places where all personal data is located. How Much Will This Cost? Our survey did not specifically inquire about the cost of GDPR implementation but a recent survey by TrustArc did focus on GDPR spending. In their survey, 69 percent of UK respondents expected that their GDPR spending will be at least $100,000. Other results of the TrustArc survey are summarised in this table: During our qualitative interviews, we spoke to data processors, hotel vendors, and a couple of small hotels with 100 to 200 rooms, and one well-known national brand. They estimate a budget of between $500,000 and $1 million in the first year of getting GDRP ready. Larger hotel groups will have a greater budget specifically for GDPR and a sum above $5 million will not be uncommon. One of the interviewees revealed that the GDPR related expenditure on external consultants could reach approximately $3 million in the next three months. None of these conversations indicated that this level of spending would be reduced following the May 2018 deadline, because they felt that GDPR will not fade. Unlike the Y2K problem, it will require continuous investment over the next few years and eventually become an operational expense. Ongoing monitoring, procedures and processes will have to be improved as they deal with the operational challenges of subject access requests, requests to be forgotten, improved management of data subject consent, management of marketing databases, reward programs, gift card and voucher programs, etc. Data breach reporting and management must be established and will have to be tested with all suppliers handling hotel’s consumer data.
  • 15. 15 How Can Edgar, Dunn & Company Help? By working with EDC, there are three steps to follow for getting ready for GDPR, fast-tracking your strategies to ensure GDPR compliance or improving your existing plans: 1. A light-touch health check – we suggest no more than a few days to assess your current roadmap and readiness against the GDPR requirements – essentially, this is a gap-analysis step. In some cases, where there is an on-going in-house GDPR project, it is advisable to gain an outside independent perspective of your plans 2. An in-depth data mapping of the current processes, people, platforms and places – as required by Article 30 in the GDPR – we use a range of sophisticated GDPR-ready documentation tools which best suit your business to perform this step 3. Change management project – creation of new policies, such as Subject Access Request (SARs) policy, retention policy, privacy policy across all customer touch points. This step will include staff awareness and training. We work with lawyers and solution vendors where necessary to conduct this step. Based on our conversations with a range of hotels and their suppliers, the GDPR challenges they are experiencing today are very similar for other travel-related businesses, such as train operators and airlines. The higher the propensity for personal data needed in the booking and servicing of guests and travellers, the greater the need for a clear GDPR strategy and the need to embrace privacy by design. We have found that most hoteliers and merchants that process personal data are focusing their limited resources on the processes to be compliant with GDPR. At this stage, this is appropriate and to be expected. However, at Edgar, Dunn & Company, we believe that the next wave of GDPR frenzy (i.e. post 25 May 2018) will be driven by the need to be more visionary in the identification of new business opportunities that will leverage data portability, access to centralised customer data and the monetisation of data.
  • 16. 16 If you are interested in discussing any of these GDPR or payments-related topics, EDC will be pleased to set up an initial conversation to discuss in further detail the learnings from this study and how you can optimise your GDPR strategy. Contacts Pascal Burg, Head of the Travel Practice e: pascal.burg@edgardunn.com t: +33 1 40 07 92 24 m: +33 6 79 37 55 47 Mark Beresford, Head of the Retailer Payments Practice e: mark.beresford@edgardunn.com t: +44 7283 1114 m: +44 7825 027525 EDC would like to thank all the hotels for their contribution to this GDPR survey, and the many organisations and individuals that provided information and perspectives that collectively form the foundation for this report. The observations and conclusions in this document are entirely those of EDC and are not intended in any way or form to reflect the views or perspectives of any individual or hotel operator. Copyright © 2017 Edgar, Dunn & Company All rights reserved. Reproduction by any method or un-authorised circulation is strictly prohibited, and is a violation of international copyright law.
  • 17. 17 Edgar, Dunn & Company (EDC) is an independent global financial services and payments consultancy. Founded in 1978, the firm is widely regarded as a trusted advisor to its clients, providing a full range of strategy consulting services, expertise and market insight. From offices in Frankfurt, Istanbul, London, Paris, San Francisco, and Sydney, EDC delivers actionable strategies, measurable results and a unique global perspective for clients in more than 45 countries on six continents. For more information contact: Mark Beresford Tel: +44 (0) 7283 1114 Email: mark.beresford@edgardunn.com http://www.edgardunn.com/ Strategy Consultants Specialised in Payments