By Alvaro Hidalgo
The European Union (EU) General Data Protection Regulation (GDPR) that was announced in April 2016 put in place a substantial mandate on EU-based organizations, as well as any organization doing business with EU citizens. The GDPR will be in force in the EU starting May 25, 2018 posing significant challenges to the hospitality industry as one that manages a vast amount of personal data. To address this question, Hospitality Financial and Technology Professionals (HFTP®) united a multidisciplinary team of experts to address the different facets of the impact of the GDPR in the hospitality industry. The task force met in July 2017 to prepare for the upcoming deadline.
Lucinda Hart, CAE, MBA, HFTP chief operations officer, explained, “The GDPR is greatly impacting the hospitality industry and the dedication that HFTP and our members have committed to industry awareness demonstrates HFTP’s commitment to assisting our stakeholders in finding solutions to their challenges more efficiently than any organization.”
When the task force met this past summer it set out to address the following:
- Identify the major challenges for the industry to achieve compliance, as well as the stakeholders involved;
- Provide guidelines to enable the industry to assess their specific needs to achieve compliance on time;
- Define the specific features of a Hospitality Data Protection Officer (HDPO) job role, and resulting from this, propose the structure of a HFTP HDPO certification;
- Establish a communication policy to create awareness within the industry.
As a result of the meeting, the group detailed the needs to be addressed within each of these areas as we move forward over in the coming months.
Challenges and Stakeholders
Management of Client´s (Customers) Consent:
- From the client´s perspective:
How to obtain the specific, informed consent required by GDPR while avoiding overwhelming the customer with large forms and excessive questions.
- From the operation´s perspective:
How to comply with GDPR requirements of purpose, accessibility, availability and security of the personal data.
How to identify, locate, modify and/or delete client´s personal data from the operators’ systems
- From the organization´s perspective:
Identify the extent of client´s consent in multi-stake operations
- Stakeholders: systems vendors (PMS, CRM, etc); distribution and marketing; loyalty programmes
Management of Personal Data Within Organizations in the Industry
- Identify responsibility of the management of personal data in multi-stake operations:
Owner/operator and owner/operator/franchisor
Multi-brand operator and multi-brand owner
- Assess the GDPR impact in management contracts and franchise agreements
- Personal data export:
GDRP impact on multinational companies operating within and out of the EU limitations to data export
Management of Data by Third Parties
- Categorize third parties within hospitality arrangements according to the GDPR law (controller/processor)
- Third party vetting: processes to ensure that third parties comply with the law
- Compliance with GDPR outside EU
- Who needs a DPO? Considering the wide range in size, footprint and characteristics of the different parties in hospitality (including hotels, restaurants, clubs, etc.).
- List of definitions: controller and processor, entity, privacy impact assessment, privacy by default, etc.
Hospitality Data Protection Officer
- Profile of the DPO for hospitality:
What profile is best for a hospitality DPO?
Conflicts of interest — who can and who cannot be a DPO ?
- Job Description of the HDPO
- Specific features of the HDPO versus a generic DPO
- HDPO certification and structure
The initial meeting in July was designed to define the work that is ahead of us, and as a result the members are working towards building the guidance we are tasked with producing. In the coming months the group members have been given specific assignments to address the points outlined above. Projects ahead of us include:
- Design a registration card
- Diagrams of personal data flow in the different type of organizations
- Examples of data flows
- Examples of Hospitality Project Management
- HDPO job description and executive summary review
- List of conflicts of interest
- List of reporting lines
- Examples of certifications
- List of definitions
- Create a standard template for (PMS) vendors to request progress details towards GDPR compliance:
As the HFTP DPO Task Force moves forward, look for updates on the HFTP web site.
Alvaro Hidalgo is the chair of the HFTP DPO Task Force. He is also the managing partner with FIRSTLOGIC Consulting based in Spain. He is the former director, Morocco at ENEFIT, the largest oil shale processing company in the world. Hidalgo was also previously the CFO at ASCARI RACE RESORT. He is known for strategy analysis and implementation, market entry, project planning, and compliance with multiple legal and financial frameworks.