Modern technology allows businesses to easily collect, store and use vast amounts of personal data about their customers. In the hospitality industry, hotels can use this powerful data to enhance, streamline and personalise guest experiences. However, with great power comes great responsibility, and hospitality businesses need to ensure that they handle their data responsibly.
Having previously been a partner at Clyde & Co LLP and Locke Lorde LLP, and with a legal career that includes specialisation in data protection, privacy and IT, few are better equipped than Katten Muchin Rosenman UK LLP Partner Alan Meneghetti to offer guidance to hoteliers on how to handle sensitive guest data carefully.
We chatted with Alan to get the expert's opinion on how hoteliers can ensure they are treating their guest data with the care it deserves, and in compliance with current and incoming data protection laws.
Where did you first begin to work with hotels and the hospitality industry?
My first venture into hospitality was working as a room attendant at Sir Rocco Forte’s fledgling group’s first hotel, the Balmoral Hotel, in Edinburgh. I went on from that to be a trainee hotel manager at the Balmoral and then to work as Restaurant Manager at Sir Rocco’s first purpose-built hotel in Cardiff Bay, the St David’s Hotel & Spa (which the group has since sold).
I knew that I loved the hotel business and spent a long time trying to work out how I could combine it with law, which I had read at both the University of Cape Town and the University of Aberdeen.
How do you think hotels will be affected by the new privacy laws coming into effect next year?
Hotels, as with most other businesses, will need to ensure that they are up to speed with the requirements of the General Data Protection Regulation (GDPR), which commences across the EU on 25 May 2018, and ensure that their systems and agreements with their contractors are compliant with the requirements detailed in the GDPR (many of which are either new or extensions of the requirements under the existing European legislation).
Hotels hold an enormous amount of personal data and, quite often, personal data which is of a sensitive nature
It is also worth remembering that the GDPR does not only apply to hotels operating in the EU, but also to those which offer services to customers in the EU (for example, gift cards, mail order and so on).
With the rise of personalisation and hotels asking guests for more data than ever and often on different platforms, do hotels in general put enough emphasis on data security?
No, but then I don’t think most businesses do! Hotels hold an enormous amount of personal data and, quite often, personal data which is of a sensitive nature (for example, information about guests’ medical conditions or meal choices which may indicate a religious preference), not to mention credit card and billing information. As a result of this, the data that hotels hold is particularly valuable and presents a prize target for thieves and fraudsters wishing to exploit vulnerabilities in a hotel’s IT network.
Hotels need to ensure that they know exactly what data they hold, how long they are holding it for, where they are holding it and what security measures they have in place to safeguard that data (as well as whether that security is currently sufficient – something which requires constant evaluation).
Can hotels expect increased pressure to be transparent about how they are protecting guest data?
Not necessarily so, in a general sense, although if there is an incident relating to personal data held by or on behalf of a hotel, the hotel must be in a position to respond to that. It is imperative that hoteliers have a plan in place for handling data incidents that is agreed upon and rehearsed in advance. Hoteliers also need to be prepared to explain to an investigating regulatory authority how its systems are set up and why it believes them to be sufficient to protect the data which the hotel holds.
It is imperative that hoteliers have a plan in place for handling data incidents that is agreed upon and rehearsed in advance.
What is the first question a hotelier should ask when assessing whether their security measures are good enough?
How strong, and where, is the weakest part of my network? This is where the vulnerability lies.
Is there a chance that hotel staff could unwittingly be breaching privacy laws or regulations, particularly in smaller hotels?
I think that there is every chance that this is the case. For example, does the hotel use a cloud service provider to back up its personal data and, if so, where does that cloud service provider physically store the data? If it is outside the European Economic Area (EEA), is the hotel able to point to a lawful ground (such as guest consent) to permit the export of this personal data outside the EEA?
Hotels need to ensure that they know exactly what data they hold, how long they are holding it for, where they are holding it and what security measures they have in place to safeguard that data
What advice would you give to independent hoteliers to ensure they comply with the new privacy laws?
Spend a little bit of time getting to know your obligations under the GDPR and your network infrastructure. You can then work out if you need to update your customer and supplier agreements and your IT network, and create a plan to detail the areas that need addressing in order of priority.
What’s the best hotel you’ve ever stayed at?
May I have two please? I love the Balmoral in Edinburgh because it is just so beautiful and perfectly decorated and I have watched it evolve since I first went there in 1996. Hadrian’s and Number One are also two of my favourite restaurants – amazing food, great service, and both in settings which perfectly complement the food they serve. And then the Imperial in New Delhi, which has the most amazing food and service, and is a haven of calm and tranquillity in the middle of a thriving, bustling and generally very busy city.