Consumers are aware that providing personal data is the source of income for many companies, which is why they provide them more cautiously and expect effective security measures. How will GDPR affect their security and what challenges are facing the hotel industry in the context of the new regulations?
GDPR is the issue of high interest for both Poland and the European Union. Controversies related to the Union’s regulation on protection of personal data concern not only companies, institutions, or online shops, but also hotels, where our data are processed in servers. It is not a huge discovery that hotel facilities collect a variety of information about their guests, these data not including only first name, surname, address, or telephone number. Few people are aware that hotels may also store recordings of telephone calls or images of their guests recorded with surveillance equipment, and if the hotel facility offers SPA services to its clients, it will also store information about their health. Therefore, what changes may the hotel industry expect in the context of GDPR?
Wherever we are, we have to protect our personal data. Exactly for this reason, the European Union implemented a number of new and cohesive principles. The total minimisation of data is the most important of them. It means in practice that the hotel should process only the information actually necessary to carry out the proper execution of hotel services. Thus, the employees should not any more require the number of the identity card or should not make copies of documents of identity. However, in case of claims, if any, related to improper execution of hotel services, the personnel is entitled to request the client to state their residential address and PESEL number.
Similar is the situation with health resort and biological renewal services, where clients are obliged to provide health information in the card. The right to being forgotten may prove to be another revolution. It if the client is the possibility of filing an application for immediate erasure of all information about the guest, collected in both paper and electronic versions. When checking in, few people really look at the document signed and what it includes. That is a pity because the check-in card features many entries that are used, for example, for marketing purposes. The European Union took care about this aspect as well. The hotel industry is obliged to transparently communicate and present understandable information to the guests about the fact and purpose of processing of their personal data.
These changes bring about some fear, but for hotel personnel they will be related to quite a challenge. Adaptation to new procedures is necessary and will be even more difficult to carry out for those who have not been observing principles of security of personal data so far. For not following the Union’s regulations, GDPR implements also financial sanctions, and these may be truly severe. Their upper limit is the abstract amount of Eur 20,000,000 or 4% of the annual worldwide turnover for the previous financial year. The Union legislators have also foreseen the possibility of auditing the protection of personal data by certification entities. For Poland, it means the Polish Supervisory Authority (UODO), as well as private organisations operating by virtue of the mandate from UODO.
Each hotel, irrespective of the quality of the provided services, should ensure privacy for the guests. Observing the GDPR regulations may appear troublesome in the beginning, but discretion and feeling of safety of the clients will affect the good renown which is priceless in the hotel industry.