Data Privacy and GDPR – Not Just a Problem for European Hotels

What is GDPR?

GDPR stands for General Data Protection Regulations which go into effect on May 25, 2018, and regulate how companies can use the personal data of European Union citizens.

You can learn about the details of the law on the GDPR website. In a nutshell, these regulations specify that guests must supply written consent to the use of their personal information for marketing purposes. Guests also have the right to access their data, to know how it is being used, and the right to be “forgotten” should they wish their personal information not be stored.

Meeting these requirements requires hotels, resorts and spas to obtain consent during the booking process, as well as complying with requests for information or removals.

Our Property is not in Europe – why does this matter to me?

These regulations benefit every citizen of the European Union, regardless of where the data is collected and processed while their enforcement applies to every property that markets to, and hosts, EU citizens. If you are not in compliance you could potentially face very large fines. Some properties that do not specifically target a European market may decide not to do anything special to comply with GDPR. However, we are encouraging all SMS clients to take these regulations seriously and to be prepared to respond to all requests.

How is SMS Working to Help Customers Comply with GDPR?

We have developed a series of features that will allow hotels and resorts to comply with GDPR, as well as provide ways for you to enhance overall guest data security.

  • Change logs have been enhanced allowing you to track guest’s privatization preferences with change reason codes, as well as freeform descriptions.
  • A report, suitable for sharing with a guest, will be available listing the personal information that you have within your system. It will be available in both printed and portable formats.
  • A configurable data retention period has been added so that you can maintain compliance with legal requirements prior to removing any individual’s personal information. For example, if you are required to retain all guest data for three years, this configuration setting will ensure that you comply with the data retention rule ahead of removing personal information by guest request.
  • Anonymization will enable you to “forget” a guest upon their request. This approach replaces all personal information with generic tags, allowing your operational data to remain intact for reporting and historical accuracy.

Remember that these items are only a piece of the GDPR puzzle. You will need to ensure that all of your systems are in compliance and that your staff is trained on responding to inquiries and requests. These features will be available beginning with v22.1 of the SMS|Host property management system and v.7.0 of the SpaSoft spa management system.