Fundamentally, the hospitality business has a simple practice – as is frequently said, it adds up to placing heads in beds. In any case, managing to find the heads to be placed in the beds is a complex task and requires the organizations to discover a lot of data about their guests. Collecting and handling that data provides business opportunities but also adds up commitments, quite possibly the most essential of which is guaranteeing privacy and personal data protection.
The modern hospitality industry is confronting another test: dealing with the commitment to secure the visitor’s privacy during his/her visit in the hotel. This commitment emerges the second when the visitor goes into an agreement with the hotel after checking in. Hotel guests enter into a contract with the hotels upon their visit this entitles the hotels to process their information. Hotels can voluntarily offer certain rights to the guests pertaining to their own personal information. This can be outlined to include the right to access information, right to restriction on processing right to object, right to rectify information, right to erasure, etc.
A recent report from Salesforce shows that clients have limited trust in how organizations handle their information. 59% believe their personal information is vulnerable to a security breach, and 54% don’t believe that companies have their best interests in mind. Nonetheless, a similar report likewise showed that giving clients control of what information is gathered, being straightforward about how information is utilized, keeping information secure, and acquiring express client agree to utilize information were all ways organizations could improve that degree of trust. Survey respondents additionally suggest that they were more likely to be loyal, would recommend the company, spend more money, and share their experiences in the event that they trusted the organization.
Types of personal data collected
The type of personal data collected is a subjective approach and varies from one hotel to another. Following is a list of generally collected personal data when you make a hotel booking:
The Personal Data collected by the hotels is used to perform the contractual obligations and to comply with the legal obligations. Such information can be used for contract administration, business planning, bookkeeping and review, offering types of assistance, benefits, managing legitimate commitments, to forestall frauds, to ensure network and information security etc.
Data privacy laws
There is no particular enactment on data privacy in India. However, it is to be noted that the Supreme Court of India pronounced the right to privacy as a fundamental right under Article 21 of the Indian Constitution. In its landmark judgement of Justice K S Puttaswamy and Another vs Union of India and Others (2018) the nine-judge bench unanimously held that “privacy is an intrinsic part of the right to life and personal liberty under Article 21 of the constitution”. Since most of the client information is saved electronically by the hotels, the provisions of Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and procedures and sensitive personal data or information) Rules, 2011 are compulsory to maintain. The IT Rules protect both ‘personal data’ i.e. “any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person” and ‘sensitive personal data’, that is, certain particular data, like passwords, monetary data like financial balance or MasterCard or charge card or other instalment instrument subtleties, physical, physiological, and emotional well-being condition, and clinical data. Since every one of these client data is fit for distinguishing an individual, the hotel has an obligation to secure this information.
The introduction of European Union’s (“EU“) guidelines on assurance of natural persons with respect to handling of individual information and free movement of such data (“GDPR“) has brought on certain significant implications on Indian organizations processing personal data of EU Residents. Essentially, since GDPR has extra-territorial application and applies to processing of personal data of EU residents even by entities situated outside EU, Indian entities who are acting as either a ‘controller’ (i.e. the person who determines the purposes and means of the processing of data) or a ‘processor’ (i.e. the person who processes the personal data on behalf of the controller), of personal data of persons of EU, in relation to offering of goods or services to such persons or monitoring their behaviour in so far as it takes place within EU, become subject to GDPR. The concept of “personal data“ has been defined in GDPR to refer to any information relating to an identified or identifiable natural person (i.e. “Data Subject“). An identifiable natural person s one who can be distinguished, straightforwardly or in a roundabout way, specifically by reference to an identifier like a name, an ID number, area information, an online identifier or to at least one variables explicit to the physical, physiological, hereditary, mental, financial, social or social character of that characteristic individual, and consequently all such data is considered as ‘personal data’ under the GDPR. For Indian companies dealing with such ‘personal data’ of EU residents, it then becomes imperative to implement the data protection requirements stipulated in GDPR within their systems. This requires a huge redesign and re-composing of their security approaches and legally binding contractual arrangements with EU counterparts/Data Subjects and their internal data conventions and frameworks to make them GDPR agreeable. It’s a hotelier’s duty to perceive that information has a place with the visitor and characterize a centre information assurance strategy in light of that. Here are some individual rights under the GDPR:
Considering the expanded instances of hacking and need for visitor information by associations around the world, the data gathered by the hotels are under steady danger of going through a data breach. Insurance can be a solution to data breaches, yet its effectiveness is sketchy. Hotel Management Agreements are silent on the aspect of data breach. These agreements state that the ownership of the data is placed with the manager of the organization. However, the data is majorly collected by the employees of the organizations and not the manager and thus it has been a reason of conflict since there is no clear demarcation as regards the manager and the owner. Albeit the owners should bear the damages appended to the offence of data breach, notwithstanding, there are occasions of force majeure like third party acts, which cannot be controlled by any IT systems of the hotels.
From the viewpoint of cybercriminals, hospitality seems to offer an ideal objective vector for directing criminal offences such as identity theft and credit card fraud because of the presence of numerous data sets and gadgets containing both “Guest Personally Identifiable Information” and monetary data. This data can be utilized in skewer phishing plans, sold on with a huge quantum, or possibly used to make clone cards when solid encryption isn’t set up to ensure the financial information. With a full comprehension of the primary information security threats and some best practices for mitigating those risks, the hospitality industry is better positioned to carry out a thorough data security methodology that involves the essential techniques, cycles, and individuals to improve cybersecurity.