When the letters G-D-P and R enter a discussion, people normally think to personal data from the EU, maybe focusing on the financial or health data that are collected and processed on individuals and the organizations that are built around that information. When considering the organizations that interact with that data, people most likely tend to focus more on the financial industry, healthcare industry, maybe retail. What people may not stop to consider is the impact that the GDPR could have in an industry that most people interact with on a frequent basis …the hospitality industry.
When you look up the definition of hospitality, you get a couple possible definitions:
- The friendly reception and treatment of guests or strangers.
- The quality or disposition of receiving and treating guests and strangers in a warm, friendly, generous way.
These definitions differ slightly, but the central concept is the same. Hospitality is the practice of making guest feels welcome. How do organizations in the industry do that? By collecting and processing information from their patrons in order to make the experience feel more comfortable, maybe even more like home. The more information that is collected and processed on the individual, the more the experience can be tailored to the individual. Thus, for organizations in the hospitality industry, it is in their best interest that the information is quality information that is accurately collected, processed, and maintained on the individual. As the information can be linked to and aid in identifying individuals, some, if not most, of the information, may very well fall under the scope of the GDPR.
During our interactions with organizations preparing for the GDPR, we have come across some frequently asked questions, some of which pertain to the hospitality industry. We have collected those questions and have put them together in this FAQ document covering topics such as:
- How does the GDPR affect the hospitality industry?
- Is it important to evaluate our data collection practices (data inflows)?
- What personal data elements are important to consider in meeting GDPR?
- Is it important to assess data sharing arrangements with third-parties (data outflows)?
- When and how should the organization inform data subjects of privacy practices?
- Should I be familiar with data subject rights?
- What do my breach notification procedures need to include to avoid fines?
- Do I need to improve anything from a security perspective to meet GDPR requirements?
- What is this I keep hearing about the “right to be forgotten”?
- How does the GDPR apply to marketing practices?
- What kind of privacy awareness training should we be providing to employees?
Please feel free to download and review and contact the privacy team with any further questions!