Ian Osborne, Vice President UK & Ireland for Shred-it, discusses the challenges associated with managing the complexities of GDPR compliance in the high-pressure, data-rich hospitality sector
On recent evidence, the hospitality industry places joint third in the top ten for the most compromised when it comes to security infringements (1) .While the sector has seen a dip from 12% in 2017, it is still sitting at 10%, significantly higher than utilities, payment services, food & beverage and healthcare. The attacks directed towards hospitality saw cybercriminals breach corporate and internal networks as they sought out card-track data (43%), financial credentials (29%), and proprietary information (14%). This puts the industry under pressure, particularly when it must now adhere to the compliance requirements outlined in the General Data Protection Regulation (GDPR).
GDPR asks that the capture and management of customer data follows stringent rules. Businesses have to engage with customers in ways that are non-invasive, recognise their privacy, and adhere to their legislative freedoms; and all data gathered about customers has to be stored, managed and accessed in line with rigorous GDPR requirements. Meeting these requirements has been, for many organisations, a costly endeavour. GDPR is pervasive and it affects all members of the hospitality industry regardless of their location. If their customers are based in the European Union, then they have to follow GDPR compliance procedures and take full responsibility for any breach or failure to show their compliance credentials. The punishment is far more expensive than preventing the breach in the first place.
This presents the hospitality industry with a complex challenge; the management and protection of customer data. Customer data is valuable for all parts of the industry, from the online travel agent to the Airbnb, in engaging with customers and ensuring a personalised experience. But what can the industry do to protect itself and ensure full GDPR compliance?
The hotel industry: Front end and back end compliance
A key step is to undertake an assessment of the existing data compliance systems and to locate any gaps that may exist between the front end (consent and privacy policies) and the back-end (data access and breach management). The difference between the two is important. For the front-end, the ways in which the industry sources and stores customer data have to comply with GDPR standards. All third-party applications and services have to be thoroughly vetted, with customer information collated in accordance with specific guidelines, and privacy policies stringently outlined and followed.
For the back-end, it is essential that only specific individuals gain access to the data and that all hard copies are stored, managed and destroyed properly. Hotels, by their very nature, process and store vast quantities of sensitive data often in paper format including names, addresses and financial data and, for this very reason, are a major target for malicious threat actors. Best practice would suggest scanning and storing paper records in an encrypted archive from which data can be retrieved when necessary. Even better, as GDPR encourages firms only to keep necessary data, processes should be in place for filtering archive material for information that poses an unnecessary risk to store. Paper records should then be securely disposed of, and their destruction guaranteed.
Unified data storage
Another step towards full GDPR compliance is to unify data storage and disposal methods across a business. For a hotel chain that spans continents and countries, it is common to have different systems for data storage and disposal, including low grade on-site shredding devices. The lack of a unified data management and destruction strategy is a risk. It doesn’t matter how secure the system is, how robust the compliance or how impressive the policy in a hotel chain if one branch isn’t paying attention.
The solution is to invest in a strategy that can be easily and effectively implemented across all areas of the business. This could include the use of a vetted and GDPR compliant third-party supplier that understands the requirements of the brand and implements agreed procedures globally, to clearly outlined policy and ongoing staff training. To this end, it is also advisable to appoint someone as GDPR practitioner or to allocate GDPR compliance responsibility to a specific role or individual who can then provide staff training and enforce policy. It is worth noting that negligence is one of the biggest causes of data breaches. The most robust approach would be to combine all measures to ensure that the supplier is in use across the business, that the same procedures are followed, and that routine is precisely managed.
Some innovative approaches that have been adopted in the industry include: replacing standard waste bins with lockable consoles to ensure any disposed-of documentation, for example at front desk and in a business lounge, is inaccessible before it is regularly collected and securely shredded; using on-demand shredding and disposal services to manage extensive paper clear-outs; and visible signage that reinforces shredding and document disposal regulations.
The hospitality industry has to balance the complexities of thousands of staff, numerous third-party service providers, and part-time employees against the demands of security and GDPR compliance. It is a difficult task, but it isn’t impossible. Partnering with GDPR compliant organisations that can offer robust and reliable services takes the pressure off and allows for deeper GDPR integration across other areas of the business.
To learn more about Shred-it’s GDPR compliance survey visit: https://www.shredit.co.uk/en-gb/resource-centre/infographics/gdpr-compliance-survey