Navbar button Logo Search Button

Tips for Hoteliers: How To Keep Your Guests’ Data Secure

JodyP 30 September 2019
Tips for Hoteliers: How To Keep Your Guests’ Data Secure

Cybercrime is on the rise, and the hospitality sector is a prime target. With recent high-profile attacks affecting US chain Marriott and China’s Huazhu Hotels Group, it’s an issue that hotel executives can no longer ignore. Marriott were said to be fined nearly £100m over their security breach, so it’s vital customer data is protected to prevent similar outcomes.

Cyber criminals are constantly finding new and increasingly sophisticated ways of stealing sensitive customer data from hotel websites, systems, servers, mobile platforms and even front desks. It’s imperative hoteliers have the correct means of accepting, storing and protecting themselves from data breaches. With cyber criminals becoming smarter every year, hotels need to be compliant and ahead of the game.

Accepting and storing customer data
First and foremost, hoteliers in the UK should be complying with GDPR legislation, a regulation of the European Union (EU) that came into effect on May 25, 2018. It introduced controls and limitations on how businesses, including hotels, may use, manage and share personal data.

The Information Commissioners office (ICO) can now issue much larger fines for data breaches and non-compliance than with the previous Data Protection Act.

Remaining compliant with personal data
‘Personal data’ refers to data about people in the EU, including employees as well as guests. This data is anything that can uniquely identify a person, for instance their name, phone number, IP address etc.

To remain compliant with GDPR and keep personal data secure, hotels should take into consideration:

GDPR affects the software hoteliers use. The software itself must follow the same obligations with data that the hotelier has. If a vendor receives personal data from a hotel, they should share a Data Processing Agreement with them to confirm the vendor is GDPR compliant.

When it comes to vendors that process guests’ personal details, hotels must recognise the type of data a vendor processes, why it is being used, obtain a Data Processing Agreement, mention the vendor in their Privacy Policy, including their purpose and how the data will be used, and confirm they can handle data rights requests.

Storage Methods
Though GDPR outlines that businesses have a responsibility to protect data, it doesn’t specify exactly how businesses should protect personal data.

“…the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk “

Below, we outline an example of some appropriate measures to ensure security:

Protecting data and avoiding breaches


Encryption is one of many options available to protect data, though not specifically required by GDPR. If you encrypt your hotel’s databases, your guests’ identities and their personal information is obscured.

Frequent auditing and testing

Frequent security audits and penetration tests should be performed to ensure internal procedures are keeping up with industry developments. If it’s found that they aren’t, frequent evolution needs to be taking place.

Audits can help hoteliers identify what’s working well, and more importantly, what’s not – where the vulnerabilities lie. This includes backups, virus and malicious activity protection, hardware, firewall protection, passwords, admin rights and business continuity.

Human firewalls

IT security is 50% infrastructure, and 50% user training. Training and proper procedures for staff are critical when it comes to storing and protecting data. In fact, one of the biggest vulnerabilities to hotels is their employees’ lack of awareness.

Having solid procedures in place is just as important as making use of the right, secure technology. A cybersecurity risk assessment will be able to highlight any weak spots, allowing you to take action against the results and better implement internal policies.

Backup procedures

Backups are essential to protect critical data; however, it is recommended you have a backup in more than one place. For instance, via cloud technology and via a physical solution. If a virus breaks out, to prevent it spreading, you don’t want to rely on a physical device attached to your network.

At the end of the day, a multi-layered approach to cybersecurity is necessary to ensure complete security and peace of mind for hoteliers. With systems under attack on a daily basis, can your hotel afford not to?

The article was produced by ramsac, an IT support and managed services provider, offering a proactive 24-hour service which cuts the stress out of managing technology.