5 ways hoteliers can solve the sector’s data protection problem

Here’s a sobering stat. Two-thirds of hotel websites leave guests’ personal data exposed to hackers.


However this is not new knowledge! Just think back to the 2018 headlines of Marriott’s epic data breach of some 500 million guest details. There’s been a raft of high profile data breaches in the hotel and travel sector in the last year.


With hotels dealing with highly personal data – from payments to passports they are prime targets for hackers looking to exploit weaknesses. However, criminals aren’t the only threat hotels are dealing with. Here we explore those threats and offer tips to keep your organisation, staff and guest data safe.


Hackers target small hotels too


While large-scale hacks may be getting front-page attention, it’s important to note that it’s small and medium size businesses that hackers target most often. In October 2018 Hiscox reported that UK small businesses are being targeted with an average of 65,000 attempted cyber attacks every day.


It’s precisely their size that makes them attractive – smaller businesses are unlikely to have teams of cyber security experts on hand, and are more likely to have missed major holes in their data protection processes, technologies and training.


While small businesses might not have the resources to hire a cyber security team, there are standards, tools and certifications that not only protect systems, but show customers you take their data privacy seriously.


In an era of growing digital mistrust it’s not only data you’re protecting by taking defensive steps, it’s your reputation.


The threat from within…


In 2018 it was reported that half of data breaches actually come from within the organisation itself; employees, third party suppliers and partners.


Usually such accidental breaches can be attributed to a lack of training and poor data protection policies. Unfortunately, with GDPR now in full effect you can’t get away with saying ‘oops, sorry’.


Insider mismanagement will fall just as foul of the regulations as poor cybersecurity defence against criminal breach.


Tips and tools for small hotels tackling data breach


1) Know your weaknesses


No one can truly defend themselves if they don’t know where their weaknesses are. The first step in any defence strategy is to take an objective view of weak links. Whether that’s unpatched technology, incomplete processes or untrained staff. A data protection health-check from an independent third-party can give you a true picture of your position.


2) Make use of automation


People make mistakes, especially where time and resources are in short supply. Using automated processes removes a lot of risk while providing auditable trails – an essential part of GDPR compliance that many forget to consider.


Despite a vast array of tools available to help streamline and simplify data protection processes many small businesses still rely on outdated systems like Excel to manage databases. Where more sophisticated tools are used, they are not being taken full advantage or businesses may be paying for services they do not use or need. It’s healthy to review your tools regularly to make sure you are getting the most from them. 



4) Make training more than a tick box


With employees often the weakest link in your defences it’s essential not only to train staff, but actively engage them in data protection. This means committing to more than thirty minutes of tick-box training. It means instilling a culture of data awareness through regular communications, refresher training and leading by example.


Importantly it means putting each person’s role into context. Team-specific training can help focus employees on the particular issues they might encounter, and explain the potential consequences for sloppy practice.


5) Demand more from suppliers and partners


Under GDPR organisations have responsibilities to ensure that suppliers who deal with customer data comply with the regulations. Rather than take their word for it, demand evidence from third-parties you entrust data to.


There are schemes such as the UK government’s Cybersmart accreditation and the international ISO 27001 certification that provide this kind of evidence. In fact 73% of organisations report that they have had customers enquire about their ISO 27001 status, with 40% of new business contracts and tenders demanding it.


Make competitors your allies in the fight against data breach


While hoteliers work in a competitive industry, there are no winners if we don’t work together to stem data breach and poor data protection practices. It is no good rubbing hands with glee if a competitor gets busted – next time it might be you.


With a complex range of policies, practices and regulations to contend with, it can be a constant battle to ensure your defenses are strong. The good news is there are tools and expertise available to do the hard work for you.


If as an industry hoteliers can work together to shore up defences then hotels will no longer be an attractive prospect for hackers, and internal standards will be raised across the board.


Find out more about our dedicated data protection services for hospitality and event organisations.

Is the US really prepping its own GDPR-style law?

In the run up to the GDPR coming into force in Europe in May 2018, US organisations grappled with whether to change data protection practices and continue to do business throughout the world, or give up and move on to other ‘easier’ climes.


In fact, in the same month The Financial Times reported that some small US companies had already made the decision to quit the EU, rather than face the burden of trying to comply with stricter data protection regulations.


However, according to some commentators it seems that this move may have been one of pointless delay, rather than tactical retreat.


Following numerous high profile data breaches, and the uncovering of shady data-sharing practices there is building evidence that the US will itself move towards GDPR-style regulation. As such, US organisations that already comply with European data protection regulations are positioning themselves as one-step ahead in the inevitable march towards tighter regulation of personal information across the world.


So what’s the evidence that the US may be following in GDPR’s footsteps? Well, lawmakers at State level are already making their stance clear…


California as a test case?


In June 2018 the California Consumer Privacy Act was passed, and will come into force in January 2020. While not as stringent as GDPR, it will place responsibilities on businesses with over 50k customers in California to apply certain GDPR-like processes, and is seen as the first step towards a European-style statute in the US.


It seems that such law-making is welcomed by consumers – a profound shift in cultural attitudes that could well drive stricter controls.


In March 2018 Cambridge Analytica was exposed as being involved in harvesting private information from Facebook to aid political campaigning.


Following this and data breaches in other financial institutions, 94% of American consumers reported being generally concerned about their data and 57% said that the scandal made them even more concerned about their data privacy and security than they were before.


The Cambridge Analytica scandal fed US consumers’ growing distrust and concern around how businesses are using personal data. A global report on attitudes to data privacy showed that those in the US were the most concerned about online privacy, and the least happy with the amount of personal information organisations had access to.


Put simply – US consumers are becoming more aware and more concerned with how their data is used, and with every news story of data breach or misuse, this opinion hardens.


In fact, 68% said they would welcome similar GDPR laws in the US, to give individuals greater control over their data.


Of course, there are also those that argue that the US is far from following Europe’s footsteps. With a powerful tech lobby active in the US’ halls of government, alongside the trials of getting any such complicated law through Congress, there are those that doubt that public attitude will spur stricter law-making in this area.



One key issue raised by those who are sceptical about a US GDPR is the lack of an effective agency to carry regulatory responsibility. Unlike the UK (which will retain GDPR post-Brexit) the US has no Information Commissioner’s Office, i.e. no single entity that can be charged with cross-sector data protection enforcement.


Can the US really function in a data-bubble?


Whether or not we will see the US adopt a stricter legislative stance on data protection, organisations cannot ignore the power of consumer perception or the effects of global responses to these concerns.


For example, Brazil’s General Data Protection Law, or GDPL echoes much of the GDPR and gives organisations doing business there until 2020 to ready themselves for compliance. For ambitious US businesses seeking growth in global markets does it really seem sensible to simply cut ties with countries, or indeed neighbour States that adopt stricter regulation?


Similarly with consumer attitudes shifting across the globe, shouldn’t US organisations be considering the reputational benefit of being proactive in adopting fair and stringent data protection practices.


Many commentators go a step further, and describe the business benefits GDPR compliance can have. From better, smarter data management and analysis to improved customer loyalty, and better ROI on marketing the benefits of being GDPR compliant by choice, rather than by force are numerous.


US businesses could indeed wait to review their data protection culture until the law forces it. In doing so, however they need to question whether their customers and partners will already have left them, and their business far behind. When competition for customers is fierce, competitors will move in where they see weakness. With a spotlight now firmly on data protection as a measure of good business practice you can be sure your competitors are seeking advantage.


Tenax are experts in cross-border compliance in data protection. Speak to our experts today about how your business can benefit from GDPR compliance – and how to get there.