Data protection for the hotel industry-A guide to Privacy-by-Design
Struck by a wave of recent data breaches, hotel businesses have been compelled to safeguard their security systems and servers better. Traditionally, customer service and guest comfort have taken priority over data security and IT infrastructure; hence, the failure to identify potential data threats.
Hotels are vulnerable as they are storehouses of credit card information. Significantly, the age-old convention of using passports for guest verification is now a major security risk.
Due to the far-reaching implications of cyberattacks and the evolving security trends and regulations, the industry has had a fair bit to cope with.
At no time in history has there been more emphasis on data collection, protection, and liability. Over the last few years, privacy regulations have increased in number and rigour. Businesses are now held accountable for their carelessness, inaction, and their bad luck. If a breach occurs, they must report the incident within the prescribed minimum time-period, to avoid fines and penalties. With the GDPR and other GDPR-grade regulations, businesses must retrospectively demonstrate that Privacy-by-Design standards were applied in the first place.
Introduction to Privacy-by-Design
Privacy-by-Design comprises seven principles. They apply not only to IT systems but to people and processes as well.
We know that changes to data security are required on multiple fronts. Traditional IT providers, however, may not possess the expertise that security assessment and breach prevention demand. Best practice involves retrofitting processes and systems based on these principles.
Implementation may take time and resources, but it saves an organisation the legal, financial and reputational fallout that accompanies every breach.
For hoteliers and managers looking to amp up data security, here are five key steps:
1. Secure confidential data (hotel and guest) in safer systems
Assess the security and privacy status of all existing systems. Specific attention must be paid to third-party systems that are used or integrated with. Implement changes to address any security or privacy gaps identified.
When it comes time to make these changes, pick IT vendors that are compliant in the data protection regulations that impact your business. As guests visit from all over the world, GDPR-compliance should be a minimum requirement. Vendors must also be able to implement Privacy-by-Design principles.
2. Encrypt all Personally Identifiable Information (PII)
The importance of encrypting personal information cannot be overstated. It is similar to the efforts we put into securing our funds in banks as opposed to stacking piles of cash at home. But sadly, most systems do not have encryption by default.
If done right, encryption can be invisible to users — delivering enhanced data security while maintaining high standards of user experience.
3. Maximise data minimisation
a) Data that is not absolutely required, shouldn’t be acquired. Critically examine the data being collected from your customers, suppliers and employees. Eliminate what’s not needed and review it every six months.
b) Investigate and minimise data duplication across systems. Determine if there are multiple records of the same customers, suppliers or employees. Reduce duplication as far as practical and schedule six-monthly reviews.
c) Limit the duration that customer data is held. Define a period that it will be of value to the business, not any longer. Data kept exclusively for audit purposes must be placed in an encrypted archive.
4. Segregate the data
Storing all data in one place is not just a security hazard, in many cases it also violates data protection and privacy laws. Data segregation means storing it in different places — distributing all customer records across multiple databases. This way, in the event of an attack, only a fraction of the data will be affected.
5. Prepare the response plan
When a breach occurs, it is vital to have a sound response plan in place — IT and communication, internal teams, customers, regulators, suppliers and vendors.
Hotel staff need to be trained on data handling methods and countermeasures. The actions and responses of an organisation impact public perceptions and regulators’ findings — and resultantly, the extent of penalties.
Hotels deal with vast amounts of personal information every day. The security of every guest is paramount — both physical and digital. Privacy-by-Design provides an ideal framework to address current and future needs. It’s time these principles are put into practice.
