With the enforcement of GDPR less than 48 hours away, the hospitality industry has had a big job on its hands to catch up with the changes in requirements. By the very nature of the industry, a Venue wouldn’t want to “duck” the GDPR requirements by excluding EU citizens, and as such, all hoteliers are affected, irrespective of global location.
There’s been some great work carried out by the industry, particularly the whitepaper produced by HTNG that provides context, clarification and guidance (as much as is possible with any new Regulation!), and we recommend reviewing their extensive work as part of your assessments.
Identifying (and categorising) the personally identifiable information (PII) that you processes across all systems should be the starting point, but it is then important to determine your role as either the Data Controller, a Processor, or a sub-processor.
To do this across all of the business systems is complex and a significant project for any organisation (having done so within Airangel, trust me, I have great sympathy and empathy!), and understandably, the Guest WiFi system seems to have been a relatively low priority for many, assuming that the provider “will have that covered”.
However, all may not be as it seems at “first glance” and we are still receiving queries from Venue Operators who are trying to establish who is the Data Controller for the Guest WiFi system, something that should have been considered at the outset of the data protection audit and impact assessment.
In very simple terms, the test of this is to confirm who decided what data to collect, and how it will be collected and used – who determined the “purpose and means”?
So, who are you within this relationship?
If you’re the GM within a Venue and the portal design, and user authentication journey has been “sent down from upon high” by the Global Hospitality Group, and particularly if the journey involves a centralised authentication requirement, then things could be a lot more complicated. Depending on who controls what is done with the data, then it may be that the Hospitality Group is the Data Controller, or, if you have an ability to use that data for your own purposes as well, you’re likely to be viewed as Joint Controllers.
The long and the short of it is that its often more complex that you may at first think, but it’s imperative that you have a very clear understanding of your role, and therefore GDPR responsibilities and also that of your data processors.
Our own GDPR project is now almost 2 years old, during which time we have evolved our readiness position, and now have documentation, processes and supporting documentation that can assist in your own GDPR compliance project.