The hospitality sector is facing greater cybersecurity risks than ever before. In 2017, seven major hotel chains were the targets of cyberattacks. Last year, Marriott reported that 500 million customers' data were exposed in a cyberattack. Since most of these companies operate in the European Union or have guests from EU countries, they need to take better precautions to avoid getting fined in the future. GDPR penalties for failing to adapt appropriate data security requirements can lead to fines of up to $22.6m (€20m) or 4% of their global revenue, whichever is higher. Experts from the Schulich School of Business state that the GDPR is having a profound impact on big data strategies in many industries, including hospitality.
The intention behind GDPR is to help mitigate these risks, but hospitality companies are still debating the impact that the data protection initiative will have on their businesses. Big data is playing an increasingly important role in business models in the hospitality sector. They utilize big data to provide more personalized services and optimize processes. Digitalization has been vital to their endeavours toward obtaining more nuanced information about their guests.
Predictably, the response to GDPR has been mixed. Clare Cella, a partner in the hospitality practice at PKF O'Connor Davies, said it is a bane for the industry. Michael Toedt, Managing Director at Dailypoint GmbH called it a blessing in disguise that forces companies to ditch their outdated data protection systems and prepare for the future.
Whatever the impact of the GDPR, it is clearly changing the way hospitality companies handle data security. It is bringing about a paradigm shift in the concept of security. Today, it is not enough to protect a PMS (property management system) from possible intrusions, because the impact of GDPR has not ended at the threat of fines for failure to comply. By bringing data protection issues to the front page of popular media, GDPR has made data protection policy one of the most important assets of hospitality brands around the world and made a trustworthy brand image essential for attracting and retaining customers. More so because so few companies have successfully built their brand image to capitalize on this – just 15% of UK customers feel their data are being used safely by the hospitality sector, according to IDEX Biometrics Asa.
Patricia Miralles, head of innovation at the Instituto Tecnológico Hotelero (ITH) in Spain, emphasizes the importance of data protection in the sector: "Data protection is a fundamental aspect in the hotel sector, since it is an intensive industry in the management of information in very diverse fields, from economic data (credit or debit cards, bank accounts, etc.); financial (financial accounts, reserves and bank transactions, balance of results and profits and losses); and personal (tastes and preferences of the client, reasons for the trip, companions, purchases at the hotel, among others)."
In other words, the reason the hospitality sector must pay particular attention to data protection is simply that the essence of the business lies in the trust and information of its guests, even though the data it handles is not as sensitive as other industries (such as health, beliefs or gender data sets).
Despite its growing importance, the protection of personal data is still not a priority for many hospitality companies. Miralles said that in Spain, only 42% of hotel owners have a comprehensive security plan, while 83% lack response programs in the event of a cyberattack. Comparatively, Symantec claims that two thirds of hotel websites leak customers' personal data and booking details.
GDPR and other legislation have helped raise awareness of the importance of protecting consumer privacy, but it has not finished the job. Brands that aim not only to survive but thrive in the coming years must embrace data protection and compliance policy, gaining a head start by being the first to prove their commitment to becoming a trustworthy, transparent brand.