For any hotel or chain unprepared for it, the impending rollout of new customer data security regulations in the European Union on May 25, 2018, could prove to be a potentially costly oversight. The General Data Protection Regulation (GDPR) is bringing sweeping changes to the manor in which brands, of all industries, collect and utilize the personal information of their customers and others. The new regulations are intended to bring uniformity to disparate laws and their enforcement, while bringing data security into the 21st Century to effectively confront the security challenges faced today.
Any company collecting data from EU citizens must comply with the new regulations, regardless of whether they have a presence in the EU or not, or face steep penalties. The new rules will require hotels and all companies to receive explicit consent for each time a data point is collected and each time the data is utilized. Previously, hoteliers could collect and use guest data through implicit consent, combined with the offer of a “opt-out” for customers. The guest was then automatically signed up for email and other marketing campaigns. This practice will be no longer allowed for EU citizens. This is a complete game changer in regards to hotel marketing efforts directed towards EU citizens, including hotels from outside of the EU.
The GDPR requirement for explicit consent means for hoteliers they must fully explain what they are collecting and why, and what exactly they intend to do with the guest’s data. Most importantly, the customers must explicitly “opt-in” by their own choice. It is crucial to also understand that each consent only applies its use to one single purpose and cannot be utilized again for any other purposes. Beyond the negative impact on brand reputation, the penalties for violating the GDPR are rather severe, and may include fines of up to 20 million Euros or 4 percent of the global annual turnover for the company, whichever is greater.
North American or Asian hotels and chains, which may believe they will not be impacted by the GDPR should take a closer examination of the new EU rules. The criteria for determining if the regulations apply are as follows: any company with a presence in any country within the EU or any company which processes personal data of EU citizens and has more than 250 employees, any company whose processing of data impacts the rights and freedoms of EU citizens. What this amounts to is most companies in the hospitality space.
The potential impacts upon all hotels by the EU’s Global Data Protection Regulation are rather sobering. Many hotels around the world fully expect to feel the results of its rollout, at least to some degree, in a negative way. Gaining insight and understanding of the new regulations in order to become compliant, in advance of its implementation, is how hoteliers will be successful under the new regulations.