Having worked for years at an exclusive Dublin hotel, it’s inspiring to experience things from the perspective of a different industry. Life in tech and compliance is truly a world apart from hospitality.

But The General Data Protection Regulation (GDPR) unites us all.

What is GDPR?

The new EU GDPR makes organisations accountable for protecting personal data they hold on EU citizens. After giving two years to prepare, Data Protection Commissioners throughout the EU start enforcing the regulation on 25th May 2018.

Described as the “toughest data protection rules in the world”, organisations face GDPR fines of €20m or 4% of their global revenue.

The Challenge

Personal data flows through hotels like water. From online bookings to room or breakfast lists and emailed guest information. It’s the lifeblood of the business.

Everything about a hotel is personal. And the more exclusive the hotel brand, the more personal it gets. From the doorman greeting “Mr Smith” as he walks through the lobby to the receptionist’s wakeup call, hotels make it their business to give that personal touch.

But that also gives hoteliers a compliance headache; GDPR affects nearly every department in multiple ways.

Soft target for hackers?

The real damage till now comes from hackers who may see hotels as lucrative soft targets. Typically, hackers target client credit card details, but in a GDPR world, such an attack could devastate a hotel chain.

Calculating GDPR fines

Last week, Hyatt announced it suffered another Cyber Attack; the last one (late 2015) reportedly affected over 250 hotels across 50 countries.

The maximum GDPR fine is 4% of global revenue or €20m (whichever is bigger). In Hyatts case, they made $4.4bn in 2016 (with a 4.6% profit of $204m). So another Cyber Attack after May next year could leave them facing a GDPR penalty up to $175m.

Maybe safer for Hyatt to just leave Europe?

Interestingly, EMEA accounted for less than 4% of Hyatt 2016 sales.

This begs a question; is an organisation like Hyatt safer to just sell off its EU assets rather than risk GDPR fines?

Hacking’s an industry problem?

Hyatt isn’t alone. In April the InterContinental Hotels Group announced that 1,200 of its hotels had suffered a Credit Card Cyber Attack. 2016 sales of $1.7bn, means a similar attack affecting EU citizen data after May next year, could expose InterContinental to $68m in GDPR penalties.

What is a data breach?

OK, so hackers are an obvious threat, but in a GDPR world, personal data must be restricted to those with “a need to know”. While it makes for great customer service to direct guests to their breakfast table, if another guest in the morning queue happens to look over the unattended guest list, that’s a data breach.

Happening once-off may be forgiven, but Data Protection auditors will likely take a dim view of systematic breaches. A systematic breach could include hotels routinely leaving lists, (e.g. breakfast guest list) unattended.

In hotels, personal data is not just shared electronically; sharing also includes a lot of old-school paper records. Suitcase tags on luggage, internal documents or even a guests name scribbled on a piece of paper. All contain sensitive data which demands protecting.

HACCP for Personal Data?

Not so different to how hotels use HACCP to govern food preparation, GDPR compliance means hotels must introduce control points for data usage. From board level to the most junior employee, each organisation must protect the data handled and ensure compliance with the regulation.

While many businesses can update technology to manage personal data, hotels are quite different. To comply with GDPR, many hotels will rely on staff training combined with revised processes. Hotel management will likely play a bigger role policing GDPR than managers in businesses where technology can be used.

But change management takes a considerable amount of time. And The GDPR clock is rapidly counting down.

Are we prepared to adjust how we work?