Securing guest data – the ongoing efforts of GDPR

In the spring of 2018, it seems all anyone was talking about was GDPR. Fast forward 12+ months and while it’s still an important issue, the conversation appears to have quietened. 

The General Data Protection Regulation (GDPR) came into force in May 2018, as an update to the previous EU data protection laws of the 1990s. These existing laws were no longer sufficient to keep information secure across businesses, as they were no longer compatible with the way businesses are now run. Compliance with the new laws then was compulsory by law. 

Across the hospitality industry, we hold a large amount of personal data. From an initial enquiry to making a booking, people trust us with their information – from names and addresses, to car registration numbers and bank card details – and when we say ‘people’, that includes visitors from across the world. We are working on an international scale so keeping their information secure is a huge task, of paramount importance. 

Much effort was put into making businesses GDPR compliant by the implementation date, but now it is done, are we still making it a priority? If not, why not? During one of our regular HOSPA meetings, members received a timely reminder that GDPR isn’t something that’s ever really finished, it needs constant attention – especially within the hospitality industry. 

It’s not just the personal data of guests and visitors that we must keep safe. With such a wide range of job sectors throughout the industry, hospitality businesses and organisations perhaps hold more employee information than most. This is increased further when you consider the fluidity of the hospitality job sector, with people often moving around through different roles and venues. 

Like GDPR, cyber security is an issue that ebbs and flows in and out of the public consciousness, but it is a big issue in hotels, given the amount of information they hold. Yet, while we may all be aware of the risks, what’s not so clear is how the information is used once it’s been taken. 

This is an issue that’s been highlighted by the team at Vodat International, a HOSPA sponsor, with whom we work closely. The sheer amount of personal information held by hospitality organisations has not gone unnoticed by cybercriminals, who are using any means necessary to hack into hotel computer systems. 

So, what do they do with the information once they’ve got it? A recent report by Vice.com revealed that illegal agencies are using hacked data to set up ‘dark web’ travel agencies which sell super-cheap holidays to buyers, with ‘discounts’ of more than 70%.  Bookings are then confirmed using the personal data of law-abiding people or offering up their loyalty points to others. 

While there are no official figures for the amount of money lost by the hospitality industry every year, according to Vodat International, the estimated figure runs into billions. 

The consequences for those involved are, of course, severe. A British hacker, Grant West, was jailed in May 2019 after using stolen data to fund gambling holidays to Las Vegas. In terms of GDPR, British Airways was recently fined £183m for ‘poor security arrangements’ after the personal data of 500,000 customers was stolen by hackers while the Marriott hotel group has said it will appeal a proposed fine of almost £100m after hackers stole the records of 339 million guests. 

But jailing hackers does not help the many people affected by such a breach and the majority of hospitality organisations are unlikely to be able pay such huge fines, so it’s important the right practices are in place to secure personal data. 

GDPR legislation may now be in place, but it pays to continue to review processes regularly to make sure they are still up to date and in line with the business’ growth and activity, especially if this is also regularly changing.   

By Jane Pendlebury, CEO of HOSPA