Over the past year, many of us have been bombarded with emails from companies virtually begging us to allow them to keep our personal details on file.
According to Timo Kettern, director of information technology at Event Hotels and a member of the HITEC Europe Advisory Council, although the constant bombardment proved somewhat annoying to consumers – Kettern uses a more forthright term – companies were running scared as they realized they did not have the consent needed to handle our personal data.
Kettern was part of a HFTP working group preparing for the introduction of the EU’s General Data Protection Regulation and co-produced a couple of papers to help hoteliers come to terms with the GDPR rules, outlining the steps they would need to take in order to comply. The papers were presented at HITEC Amsterdam a year ago, and this year the conference on the Spanish island of Mallorca will review the progress made.
Speaking specifically about the German market, Kettern says that since May last year, authorities have focused on educating businesses and the consumer about data protection rather than enforcement. Consequently, the impact so far has not been as severe as had been anticipated.
“I’ve not seen any fines for larger organizations,” he says, adding that several smaller firms had been fined around 20-25,000 euros. Nevertheless, he is now expecting the data protection authorities in Germany to begin looking into complaints.
Kettern says that in his own organization, he had previously struggled to convince the leadership team of the importance of data protection or of the need to increase training budgets. “GDPR has changed that. Data protection now has visibility at the C-level and GDPR has helped people like myself to get budgets approved and get working parties started, together with HR for training and for the practical changes we had to make in our operations. So that, for me, was the biggest impact.”
Had companies overreacted to the introduction of the new digital privacy rules? Although there may be certain parallels with the way in which companies had handled the Y2K ‘non-event’ nearly two decades ago, Kettern does not believe companies had overreacted, saying that the GDPR had raised awareness in the industry and given professionals like him “the budgets, the freedom and the support needed to deal with the issue because at the end of the day, it’s kind of a risk exercise. How much are you prepared to spend to minimize the risk?”
As to the action hoteliers should be taking now, Kettern advises they should make staff training a priority, in addition to making sure they update passwords and have firewalls in place. “It’s one thing to have the procedures documented and your systems in place, but it’s people who need to make those processes work.”
“It’s very simple for someone at the reception desk to leave a guest registration card lying around or spin the (computer) monitor around so that someone else can see the data.”
‘So, what we’re doing, we’re attacking this on several levels. First of all, data protection is part of the employment contract. It’s also about the consent that we, as an employer, can hold the data.” Staff also need to acknowledge formally, as part of the employment contract, that they aware of the guidelines.
One complication though is posed by the franchise model in the hospitality industry. This means franchisees have to conduct training and self-audits, in conjunction with a data protection officer who should be part of the HR team.
Kettern (pictured right) says one of the major challenges faced in running franchises in Europe for major hotel chains in the US and Canada is that “by default we are exporting guest data to North America.” In terms of the GDPR, he says, this is critical.
As a hotel operator working with US-based hotel chains such as Marriott and Hilton, “it’s our obligation to make sure we get confirmation from the brands that they’re dealing with the data in North America in the same way we deal with it in Europe. They’re all giving us that (assurance) but we can’t control that.”
As the tension rises again, a second wave will come
“We’ve changed some – not all – of the processes because we always took data protection seriously.”
“We’re in an acceptable position but I think we can still improve.” For companies to know whether they are on the right path, they may, however, have to wait for the first court rulings with judges giving their interpretation of the regulations. These rulings will, Kettern says, “influence our future and how we’re going to change things in the future for sure.”
The first wave of activity (and anxiety) has ‘calmed down’, Kettern says, but with the possibility of the authorities pursuing potential breaches, “the tension will increase again and there will come a second wave.”
‘Networking, education and finding new things’
On HITEC Europe, April 9-11 in Mallorca, Spain, Kettern says: “The networking aspect is very important as I’ll be catching up with colleagues. So too are the educational sessions, to see what the trends are. There are lots of subjects around digitalization, robotics, artificial intelligence, as well as to overcome one of the challenges we face in hotel operations which is finding appropriate staff.”
Kettern says he’ll be taking a look at the new technologies on offer and will be meeting suppliers on the exhibition floor, and not just the central aisles as those on the edges can be interesting.
“So, it’s networking, education and finding new things … It’s going to be fun.”