GDPR Deadline Expires: Are Indian Hotels Ready?
The EU GDPR was introduced on 27 April 2016 with the aim to fortify data protection for any kind of EU citizens, preventing the misuse of Personal Identifiable Information (PII). It is expected to revolutionize data protection laws across the EU. Its implementation had been given a two-year time, the completion date being 25th May 2018, so that organizations the world over can understand and steadily adapt to it in order to avoid heavy fines that would result from non-compliance.
The GDPR impacts not only businesses within the EU but also global businesses that have any collaborations with EU. For example, India has a substantial marketplace for the ITeS, BPO, and pharmaceutical industry in Europe. According to PwC India, “The size of the IT industry in the top two EU member states (i.e. Germany and France) is estimated to be around 155–220 billion USD.” This highlights the significance for Indian companies to comply with GDPR. After all, non-compliance could result in penalties of 20 million EUR or 4% of global turnover. That could be devastating for any company.
The hotel industry, by nature of its service, finds itself in possession of a horde of personal data belonging to their guests. However, in accordance with GDPR guidelines, hotels might have to delete certain information if requested by the guest.
As was revealed by the Hyatt hotel data breach incident in October 2017, hotels are vulnerable to content leaks, which can impact customers as well as the hotel’s reputation. A payment systems breach at the Hyatt Hotels Corporation exposed customer credit card data from 41 hotels in 11 countries globally. The breach was discovered in July, but Hyatt was only able to inform customers in three months.
The Taj Hotels updated its TAJ Hotels Data Privacy Statement to highlight the changes they have brought about.
“This privacy statement describes how we collect and use your personal information and data, in accordance with the EU GDPR. It applies to all guests and visitors, known through this document as “data subjects”. The IHCL Group is a “data controller”. This means that we are responsible for deciding how we hold and use personal information about you. We are required under data protection legislation to notify you of the information contained in this privacy statement,” the statement said.
ET quoted Mandeep S. Lamba, who stressed how important GDPR compliance was to hotels, “The protection of personal data received either for reservations or for payment of hotel bills or any other purpose has to be fully protected in accordance with the GDPR. If a customer wants his/her data edited or deleted, the hotel must have the ability to do so and to provide a complete trail and evidence,” he said.
However, all hotels have not been so prompt with updating their privacy policies.
“While the larger organized hotel companies have taken cognizance of the GDPR and are acting to ensure compliance, the smaller companies are the concern and have not shown the necessary agility. Most people are not realizing that while this is an EU regulation, it has ramifications across the globe for any company that has gathered personal information of any EU resident while the resident is within the EU geographical region. This means that any hotel bookings taken for EU residents makes any hotel or travel agency subject to GDPR and the ramifications of any breach of the same,” Lamba told ET.
According to ET, Rana Gupta, VP, APAC, sales and services, identity and data protection (enterprise and cybersecurity) at Gemalto explains that GDPR does not apply if a company only processes personal data outside the EU and does not offer its hospitality services to EU member states or tracks them on the internet. However, if the company has a website with the ability to translate into European languages, and uses search optimization engines that show up as options targeting EU domains used by EU travelers, then GDPR applies because this indicates that the company is offering its services to EU members.
Apart from hospitality, the Indian IT industry must also watch its back and can expect many changes in the environment of their products, since Europe is its second-largest market after the US.