What Hotels & Restaurants Need to Know About GDPR
posted Mar 7, 2019 by Daniel M. Andrea, CPA, CITP, CISA in the Restaurateur Blog
Hotels and restaurants…you’ll want to revisit your data privacy policies to factor in changes made by the General Data Protection Regulation (GDPR). The GDPR is enforceable for all businesses that collect the personal data or monitor the behavior of EU citizens (even if they are not based in the EU). The GDPR took effect May 25, 2018 but much of it is still being discovered by businesses across all industries. Regardless of where your business is headquartered, you are required to safeguard the personal data of individuals in the EU. Read on.
More about the GDPR
Check out our blog, The General Data Protection Regulation (GDPR) Takes Effect May 25th 2018 for information on complying with the GDPR, but essentially there are 99 articles in the GDPR which outline data security guidelines for businesses and individuals.
Your restaurant or hotel will be impacted by the GDPR if you:
- Collect personal data or behavioral information from someone located in the EU
- Provide goods or services to the EU (including free services) but are located outside the EU
How are restaurants affected?
Complying with the GDPR will vary between restaurants, depending on how well their business activities support the personal data privacy rights of EU individuals. For franchised restaurants, GDPR implementation is especially important, given that they likely use a variety of channels to interact with customers (point of sales, loyalty programs, mobile apps, kiosks, email, etc.)
Let’s say an American fast food restaurant opens a new location in the UK. Despite the fact that its headquarters are in the U.S., the restaurant will now be held to the policies set forth in the GDPR.
So, restaurants with no connection to the EU don’t have to worry, right?
Well….not exactly. U.S. restaurants that regularly serve individuals from the EU may be required to comply if they are collecting personal information from these customers (like credit card numbers). This is especially important for restaurants that operate out of tourism hotspots in the U.S. like Las Vegas, New York City, Boston, Newport, etc.
How are hotels affected?
Similarly, the GDPR impacts hotels across the globe. All properties that target EU residents as customers (no matter where they are located) need to comply with GDPR regulations. Hotels should document what personal data they hold (of both guests and employees) where it came from, and if it is shared with anyone.
The GDPR provides extra protections for sensitive data. This includes personal data that reveals any of the following:
- Membership in a trade union.
- Biometrics- such as a fingerprint stored for opening doors
- Health status, which may be shared in guest requests for rooms with specific amenities.
Again, in U.S. tourism “hot spots” hotels have to be particularly mindful of their data privacy regulations as customers from the EU are likely lodging at their establishments.
Implementing a data privacy program
Check out our blog for more on this, but some good starting points for your data privacy program include:
- Documenting all personal data you hold, where it came from and who you share it with
- Reviewing your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.
- Designating someone (“Data Protection Officer”) to take responsibility for data protection compliance and assess where this role will sit within your organization’s structure and governance arrangements, if applicable based upon your size.
The GDPR took effect May 25th 2018 so it’s crucial that your restaurant is up to date on its data privacy and has all the necessary controls in place to meet the requirements of the GDPR.
Contact us for more information.