With millions of daily transactions worldwide, the hotel industry is the most affected by cyber attacks that are becoming more frequent. Will this problem be solved with the entry in force of the GDPR (General Data Protection Regulation)?
Why have hotels become the Achilles heel of data security?
The increase of cyber attacks in recent years in the hotel industry and especially in independent hotels, is due to the low level of protection of hotels.
Recently, the hotel industry has had to adapt to new technologies to automate processes and offer a direct channel of contact and reservation to the client, but data security, in many cases, has not been a priority. For this reason, the investments made in security have been lower and the hotel has become the most vulnerable actor that suffers daily attacks.
There are also other reasons why the hotel, today, is one of the most insecure structures in terms of data protection, among them and the most important is the human factor. The hotel staff, in many cases, lack training on the importance of security and the correct use of the technologies implemented for this purpose. In this way we often find numbers of cards stored in a document on the desktop, screenshots with customer data sent by email, telephone calls to customers requesting card data, etc.
If we make an investment in a secure platform, it is necessary that the implementation of the same come accompanied by training to hotel staff, to give the appropriate use and thus prevent data from being transferred from an online world and secure to a world offline and vulnerable.
One of the immediate measures that can be taken in order to comply with the new Data Protection Law (GDPR), which will take effect from May 25, 2018, would be the implementation of a booking engine with PCI Certificate and training of personnel in the field of personal data processing.
What is PCI Certification?
The PCI Security Standards Council is an open global forum dedicated to the formulation, improvement, storage, dissemination and permanent application of security rules for the protection of account data. Establishes a series of standards that must be met by ecommerce platforms such as booking engines. For an engine to be PCI certified it must undergo an audit that guarantees that it meets all the safety standards it demands.
More about the GDPR
The entry into force of the new European Data Protection Law (GDPR), seeks to ensure the privacy of all citizens of the European Union and the consequences for not following these strict laws are severe and can harm the income of hotels that do not adopt the recommended measures on the date of May 25, 2018.
What are the penalties for non-compliance of the GDPR?
Organizations can receive a fine of up to 4% of annual global billing for breach of GDPR or € 20 million. This is the maximum fine that can be imposed for the most serious infractions, for example, not having enough consent from the client to process data or violate the core of the concepts of privacy by design. There is a tiered approach to fines. A company may receive a 2% fine for not having its records in order (article 28), not notify the supervisory authority and the data subject about an infraction or not perform an impact evaluation. It is important to keep in mind that these rules apply to both controllers and processors, which means that “clouds” will not be exempt from compliance with the GDPR.
What happens to the data of those under 16?
The consent of the parents will be required to process the personal data of children under 16 for online reservations. Member states can legislate for a lower age of consent, but this will not be less than 13 years.
In order to comply with the new regulation, avoid sanctions and offer guests confidence, we recommend you to see the complete information about the GDPR, provided by the European Union.