At SuitePad, we've been investigating how hotels and hotel tech companies are dealing with GDPR one year after it came into force.
It’s now just over a year since the EU passed the controversial General Data Protection Regulation (GDPR), and unlike some predictions, the sky is yet to fall in and all services as we know them are still running! But, behind the scenes, there’s been quite a lot of work by businesses across various industries to ensure they meet these new requirements. The enforcement of the laws has been somewhat relaxed in the first year – unless you’re Google, who were fined €50,000,000 for a “lack of transparency, inadequate information and lack of valid consent regarding ads personalization.” But, not all companies out there can shrug off such large financial hits, especially in the hotel industry where revenue margins are somewhat slim and reputation is king. So, how has the hotel industry managed with the tightening of regulations for the processing and storage of customer data a year since GDPR was brought into force?
GDPR and the hotel industry
Let’s rewind a few years – in April 2016, the European Parliament adopted the GDPR regulation which became directly applicable in all EU member states as of May 25th, 2018. Now in place, it’s clear that the purpose of the regulation is to ensure that customers are protected and have more control over how their data is used in an age where the internet has made the collective use of personal data a lucrative business.
For hotels, this means that strict protocols need to exist for the handling and storage of customer information, and the list of what’s considered “personal data” is by no means small – names, addresses, photos, financial details, and IP addresses are all considered “personal data.” Complications arise when it comes to sharing customer data between Online Travel Agencies (OTAs) and hotels, or between different establishments that belong to one hotel group. For these companies, it’s important to gain consent from customers before data is used and it’s imperative that the collection and processing of customer data are presented in a clear and transparent way.
What’s more, any data that’s handled by third-party vendors are also included in the regulation, meaning that if a third-party vendor is found in breach, the hotel may find themselves liable for a fine of up to 4 percent of their company’s annual revenue – certainly not a small drop in the ocean! For businesses that don’t have the financial clout of Google, this could be detrimental.
All of this is a lot for hotel owners to address – particularly those who run small or independent businesses.
GDPR and the digitization of the hotel room
In recent times, hotel rooms have become battlegrounds for various companies seeking to use technology to bring them into the 21st-century. According to revfine.com, trends to look out for in the hotel industry for 2019 include recognition technology, chatbots and AI, the use of big data, and more personalized experiences. All of these will require, or at least be bettered by, the shared use of personal customer data.
But, with the hotel industry on the cusp of a digital revolution, it seems like the GDPR regulations could lead to hesitancy on the part of hoteliers who want to innovate their hotel rooms.
The main problem is that as these technologies enter the hotel industry, so too does the need for the correct storage framework for customer’s personal data, and much of the responsibility rests on the shoulders of the hotel companies themselves. One year hasn’t really been long enough to reveal exactly how the hotel industry will need to adapt to meet the GDPR stipulations, but there are certainly incentives for adapting to this new legislation.
By partnering with companies that have already organized themselves to be GDPR compliant, hotels and hotel chains can shield themselves from the threat of walking into a legal minefield, or worse – a financially crippling fine!
SuitePad and customer privacy
At SuitePad, our solution doesn’t rely on big data in the same way that targeted advertising or other personalized platforms do – our platform runs independently of the hotel’s PMS with no shared information among third-party hotel tech vendors. Customers have the option to connect their interface to a third-party vendor, for example, their hotel PMS. In this situation, the use of any information that’s transmitted via the interface such as names or other personal data for booking or ordering services is clearly explained and is deleted once its storage is no longer necessary.
By following this framework, we ensure that all data handling here at SuitePad is in line with the EU’s GDPR rules, so customers are protected from unwittingly having their data used for purposes they haven’t agreed to.
At SuitePad, we do also collect data on how our in-room tablets are used, but this is for the sole purposes of helping hotels optimize the effectiveness of their SuitePads and to help us develop more refined future products. This, however, doesn’t include the storage or use of any personal data as defined by the GDPR legislation, meaning overall user habits can be tracked without the need for storing sensitive data.
Upholding the rights of hotel guests is of the utmost importance to us here at SuitePad – our business depends on it! So, ensuring that we fully comply with GDPR is essential to us beyond the legal obligation.
It seems inevitable that as digitization becomes a normal feature of the modern hotel room, guests will need to give some of their personal data to companies if they want to experience the level of personalization that they’ve become so used to in other areas of their life. If you’d like to explore this topic more, check out one of our recent blog posts: Smart speakers in the hotel room.