How a non-compliant breakfast could cost hoteliers dearly

Did you miss the headline fine dished out to Marriott by the Information Commissioner’s Office this year? A whopping £100m for the loss of personal data including credit card details, passport numbers and dates of birth stolen in a massive global hack of guest records.


In fact, our previous blog explored this breach and its consequences for hoteliers. Most startling, the fact that two-thirds of hotel websites leave guests’ personal data exposed to hackers.


While Marriott has stolen the limelight for hotels hit by GDPR enforcement, they aren’t the only hoteliers coming under the cosh. We were alerted to an interesting case of non-compliant breakfasting by travel blogger One Mile at a Time that left us thinking about the myriad GDPR challengers this industry comes up against. 


On July 2nd the World Trade Center Bucharest’s Pullman hotel was fined 15k Euros by the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP).


A photograph was taken without the guests’ permission that showed a list of 46 names of those booked in for breakfast at the hotel. That was all it took for the hotel to have to hand over thousands in fines. 

Here’s the summary from


 – The breach of data security was that a printed paper list used to check breakfast customers and containing personal data of 46 clients who stayed at the hotel’s WORLD TRADE CENTER BUCHAREST SA was photographed by unauthorized people outside the company, which led to the disclosure of the personal data of some clients through online publication. The operator of WORLD TRADE CENTER BUCHAREST SA has been sanctioned because it has not taken steps to ensure that data is not disclosed to unauthorized parties – 


You can imagine this scenario play out across so many functions. From travel arrangement lists, event guest lists used on the door, to breakfast, lunch and dinner! How would you feel coming up against a 15k fine for non-compliant printouts?


It goes to show that it isn’t just high-profile hacks that can land hoteliers in hot water when it comes to GDPR. Proper data protection encompasses the whole business – not just email marketing permissions or hack precautions.


With this in mind it is essential to track and respond to any potential business practices that can lead to breach. This should go hand in hand with staff training and awareness. As this latest example shows, an employee armed with a printer could see your business end up on the register of GDPR offenders – and cost you a lot more than the price of a free breakfast…



If you are struggling to identify the weak links in your GDPR strategy get in touch to find out how we can help shore up your defences with our bespoke auditing services. 


Facial recognition technology at events – next generation nightmare?

Event professionals aren’t often given the recognition they deserve – it’s a catch 22. If you do the job well the hours of behind-the-scenes planning, prep, sweat and tears are often taken for granted.


This is a profession that demands creativity and the ability to analyse and problem solve for almost any eventuality! When technology comes along that promises to solve your most troublesome pain points it’s no wonder it’s met with open arms.


And this time, we are talking about live facial recognition.


Revolutionary, innovative, exciting? Or, invasive, insecure and maybe even illegal? Here we dig into the reality of facial recognition and what it means for events professionals on the front line.

Event attendee smiling at camera

Why use facial recognition technologies?


Many of us are already used to using facial recognition in our lives, with most of the latest smartphones scrapping unlock codes for a scan of your profile. Similarly, many airports and border checks deploy the technology for safety and crime prevention; in the UK we are encouraged to use epassport gates powered by facial recognition over and above manned border controls.


Similarly, as this blog from EventsAir summarises, there are several reasons why the hospitality industry are excited about the potential of live facial recognition. Quicker check-in, enhanced safety, data and insights, personalisation and convenience to name a few. While still in its infancy there is already talk of how next-level biometrics technologies could be deployed within events. Imagine being able to analyse en-masse when people are hungry, dehydrated or tired and in need of a break?


The ability to analyse and tailor events based on detailed metrics is very exciting.


Here comes the but…


Live facial recognition and the law


The introduction of GDPR put a firm stake in the ground when it comes to such biometric analytics.


Following the deployment of live facial recognition by South Wales Police for the purpose of crime prevention and detection, Elizabeth Denham, UK Information Commissioner wrote an uncompromising blog. She explained that live facial recognition technology, no matter the purpose for which it is deployed, is subject to data protection legislation.


Under GDPR biometric data is classed as a ‘special category’ and so requires even greater protections. The legislation doesn’t preclude use of facial recognition technologies but is very clear about the permissions and parameters that apply.


From ‘explicit consent’ to ‘appropriate safeguards’ the GDPR lays down the conditions under which live facial recognition can be used legally. While it’s clear that data protection law applies to facial recognition, deciphering the legislation is a challenge in itself!


It’s worth noting too that GDPR doesn’t just apply to events taking place in the EU, but to any EU subject no matter where they are. Planning for an event with EU attendees in California or Brisbane still requires you to comply with GDPR. Whether using state of the art technologies such as live facial recognition or biometrics or simply processing personal data in more conventional ways, GDPR should now hold top billing in relation to event prep.

Don’t assume attendee attitudes to facial recognition


These technologies are the subject of much debate, with Amazon recently under pressure by activist shareholders concerned about the direction of its ‘Rekognition’ software. In China there are shocking reports of the state using facial recognition to track and target ethnic minorities.

A study by the Brookings Institute in September 2018  suggested that around half of Americans wanted law enforcement to be limited in their use of facial recognition technologies. 42% agreed that it invaded personal privacy rights. However, some studies suggest that people are more open to facial recognition technologies – especially where it concerned issues of safety and security.


It’s important to consider how any potential use of facial recognition at public events are justified to attendees – not just to gain individuals’ explicit consents but also to reassure and educate.


With our decades of experience in the events and hospitality industry we know the demands placed on event pros. Importantly, we understand how GDPR applies to the events industry and the additional challenges it places upon colleagues.


If you’re worried about data protection and compliance with GDPR, get in touch and let’s chat.

Five ways in which GDPR compliance drives better business

Over the past twelve months four little letters have sent a shiver up the spine of business leaders. Can you guess which ones?


Yes it’s ‘GDPR’, the EU’s General Data Protection Regulations that came into force in May 2018. In the run up to this deadline doomsday headlines dominated. From the potentially huge fines for breach, to predictions of regulators gearing up to smite businesses small and large indiscriminately.


Unfortunately in among the fear-mongering, a massive opportunity was missed. What the GDPR pundits failed to report are the very real business benefits of compliance with the new data protection regulations.


In fact, good data protection practices don’t just safeguard against the prying eyes of regulators. They make you do better business, helping to revolutionise the way we use, process and harness the power of data.


Here we explore how you can increase your competitive advantage by going beyond GDPR compliance to make your data work harder and smarter.


1) GDPR makes you get a grip on security



88% of data breaches are not as a result of cyber attack, or poor technology – it is because human error. Whether emailing sensitive information to the wrong recipient, storing data in unsecure locations or losing paperwork, it’s the people in your organisation that are the biggest threat to data.


The GDPR is very clear about who should have access to sensitive personal data through access management policies and procedures. Businesses need to make sure that personal data can only be accessed by the right people in the organisation, for the explicit purpose for which that data has been collected or stored.


In short, the GDPR limits who can access personal data, and why – and those who do have access require training and knowledge of the responsibilities of handling it.


The fewer people who access sensitive data, the less the risk of human error leading to data breach.


2) Privacy by design means secure, cross-border business



With GDPR applying to anyone doing business in the EU, the reach of the regulations extends across the world. While some see this as a burden, we should really consider the positive ripple effect that the EU’s robust approach to data protection sets in motion. In fact, other regions are following suit – with Brazil echoing much of the regulation, and discussion on how the US will respond to the need for greater protections.


Organisations operating across EU borders should find solace in the fact that the partners they depend on are governed by GDPR. With the regulations designed to encourage businesses to implement privacy by design, it places the onus on organisations to be stringent about data-protection at every step. That includes in its dealings with third party suppliers and partners.


Demonstrating proactive GDPR compliance shows you are geared up for the global marketplace, that you can be trusted, and are aligned with your international partners.


3) Data protection creates greater customer confidence



60% of consumers are aware of GDPR, and with headlines of high profile fines for organisations found in breach, awareness will only grow. At the same time, 48% of UK adults planning to activate new rights over their personal data.


Demonstrating a proactive, open and encompassing approach to data-protection shows customers you take their concerns seriously, and respect their autonomy in relation to data. In fact, the number of consumers who say they are happy to share their data if they trust the company has nearly doubled between 2016 and 2018, from 16% to 30%.


Never mind the fallout from being found in breach of GDPR, focus on the advantage you gain in complying – and being vocal in your support of the foundations of the regulations. Earning the trust of your customers is priceless, while the cost to comply is negligible in comparison.


4) GDPR delivers better marketing ROI



One of the pillars of the GDPR is that organisations need a data subject’s consent to process personal information. By cleansing your databases of those who did not opt-in you immediately hone your target list to relevant and engaged clients. With a cleansed database it is much easier to experiment with tailored and targeted marketing messages and tactics that speak to your audience.


By adopting such a targeted approach, through the use of ‘clean’ data not only are you complying with GDPR, but you will find higher conversion rates can be achieved from your marketing efforts. Cleanse data, understand your audience and watch your marketing budget work harder.


5) GDPR compliance will improve your bottom line



Quite simply, complying with GDPR won’t just improve your security practices, data handling procedures and marketing output – it is showing direct impact on organisations’ profitability.


Our partners Port.IM recently reported that the impact of GDPR compliance can result in up to 30% sales growth. This is as a result of increased trust and secure management of privacy.


Whether improved security, strengthened customer trust, borderless commerce or improved targeted marketing efforts, GDPR isn’t a rod for our backs, but a tool for better business.


Whether you are at the start of your GDPR journey, or are seeking insight on how to assess, test or improve your systems we are here to offer our expertise.


Get in touch to discuss how we can help turn compliance into better business!

Transform subject access requests into better business with Port Engage

The General Data Protection Regulation has had a huge impact on the rights individuals have to access personal data held by organisations about them.


Under GDPR transparency between data subject and data controller is a core principle. Infringements of data subject rights attract the highest financial penalties as well as empowering the regulator to stop businesses processing data at all.


With increased awareness and consumer concern over data privacy, research has shown that 48% of UK adults plan to activate these new rights over their personal data.


For organisations dealing with this deluge of subject access requests, the challenge is two-fold:


  • Streamlining processes to ensure cost-effective compliance

  • Transforming subject access requests into a valuable customer touchpoint


In response to both these challenges, along with our partner Port.IM we are launching a dedicated subject access solution – Port Engage.


Port Engage enables customers to instantly access the data held on them by an organisation via a simple online portal. For businesses this means instant, guaranteed compliance with data protection regulations and a tangible opportunity to build trust with their customers.


Vitally, for customers it provides proof of an organisation’s dedication to transparency and respect in relation to personal data.


Learn how Port Engage works


“By far the most important factor for consumers in deciding to share their personal data is whether they trust the relevant organisation. Trust in an organisation or business remains the dominant prerequisite when engaging consumers within the data economy.”

Data & Marketing Association


What Port Engage offers you and your customers


Your customersYour business
  •  Instant access to personal data
  •  Instant compliance with subject access   requests
  •  Simple, customer-friendly portal
  •  Remove threat of missed deadlines in   respect of subject access requests
  •  Proof of dedication to transparency
  •  Proactive transparency
  •  Greater understanding of benefits of   sharing personal data
  •  Strengthen customer trust
  •  Assurance of compliance with GDPR
  •  Valuable customer touchpoint
  •  Demonstrate how data is used for   customer benefit (e.g. Loyalty Schemes)


Designed with hospitality in mind


As experts in GDPR compliance for the hospitality industry Port has built Engage to support their data-driven clients achieve more from guest interactions. Alongside Tenax’s specialist experience in this industry, we’ve chosen Port Engage as our partner, answering the very specific needs of our clients.


Research by American Express found that 83% of millennials said they would happily let hospitality brands track their digital patterns if it meant more personalised experience.


To benefit from customers’ desire to engage and share data it is vital that it is done with full regard to the GDPR, with full, demonstrable and transparent consent.


Using transparent solutions such as Port Engage means hospitality brands can offer personalised experiences built on a foundation of compliance – leading to better business and more loyal customers.


Contact Bruce Smith for more information on how we can help you and your customers get more from data, while remaining compliant with regulations.


5 ways hoteliers can solve the sector’s data protection problem

Here’s a sobering stat. Two-thirds of hotel websites leave guests’ personal data exposed to hackers.


However this is not new knowledge! Just think back to the 2018 headlines of Marriott’s epic data breach of some 500 million guest details. There’s been a raft of high profile data breaches in the hotel and travel sector in the last year.


With hotels dealing with highly personal data – from payments to passports they are prime targets for hackers looking to exploit weaknesses. However, criminals aren’t the only threat hotels are dealing with. Here we explore those threats and offer tips to keep your organisation, staff and guest data safe.


Hackers target small hotels too


While large-scale hacks may be getting front-page attention, it’s important to note that it’s small and medium size businesses that hackers target most often. In October 2018 Hiscox reported that UK small businesses are being targeted with an average of 65,000 attempted cyber attacks every day.


It’s precisely their size that makes them attractive – smaller businesses are unlikely to have teams of cyber security experts on hand, and are more likely to have missed major holes in their data protection processes, technologies and training.


While small businesses might not have the resources to hire a cyber security team, there are standards, tools and certifications that not only protect systems, but show customers you take their data privacy seriously.


In an era of growing digital mistrust it’s not only data you’re protecting by taking defensive steps, it’s your reputation.


The threat from within…


In 2018 it was reported that half of data breaches actually come from within the organisation itself; employees, third party suppliers and partners.


Usually such accidental breaches can be attributed to a lack of training and poor data protection policies. Unfortunately, with GDPR now in full effect you can’t get away with saying ‘oops, sorry’.


Insider mismanagement will fall just as foul of the regulations as poor cybersecurity defence against criminal breach.


Tips and tools for small hotels tackling data breach


1) Know your weaknesses


No one can truly defend themselves if they don’t know where their weaknesses are. The first step in any defence strategy is to take an objective view of weak links. Whether that’s unpatched technology, incomplete processes or untrained staff. A data protection health-check from an independent third-party can give you a true picture of your position.


2) Make use of automation


People make mistakes, especially where time and resources are in short supply. Using automated processes removes a lot of risk while providing auditable trails – an essential part of GDPR compliance that many forget to consider.


Despite a vast array of tools available to help streamline and simplify data protection processes many small businesses still rely on outdated systems like Excel to manage databases. Where more sophisticated tools are used, they are not being taken full advantage or businesses may be paying for services they do not use or need. It’s healthy to review your tools regularly to make sure you are getting the most from them. 



4) Make training more than a tick box


With employees often the weakest link in your defences it’s essential not only to train staff, but actively engage them in data protection. This means committing to more than thirty minutes of tick-box training. It means instilling a culture of data awareness through regular communications, refresher training and leading by example.


Importantly it means putting each person’s role into context. Team-specific training can help focus employees on the particular issues they might encounter, and explain the potential consequences for sloppy practice.


5) Demand more from suppliers and partners


Under GDPR organisations have responsibilities to ensure that suppliers who deal with customer data comply with the regulations. Rather than take their word for it, demand evidence from third-parties you entrust data to.


There are schemes such as the UK government’s Cybersmart accreditation and the international ISO 27001 certification that provide this kind of evidence. In fact 73% of organisations report that they have had customers enquire about their ISO 27001 status, with 40% of new business contracts and tenders demanding it.


Make competitors your allies in the fight against data breach


While hoteliers work in a competitive industry, there are no winners if we don’t work together to stem data breach and poor data protection practices. It is no good rubbing hands with glee if a competitor gets busted – next time it might be you.


With a complex range of policies, practices and regulations to contend with, it can be a constant battle to ensure your defenses are strong. The good news is there are tools and expertise available to do the hard work for you.


If as an industry hoteliers can work together to shore up defences then hotels will no longer be an attractive prospect for hackers, and internal standards will be raised across the board.


Find out more about our dedicated data protection services for hospitality and event organisations.

Is the US really prepping its own GDPR-style law?

In the run up to the GDPR coming into force in Europe in May 2018, US organisations grappled with whether to change data protection practices and continue to do business throughout the world, or give up and move on to other ‘easier’ climes.


In fact, in the same month The Financial Times reported that some small US companies had already made the decision to quit the EU, rather than face the burden of trying to comply with stricter data protection regulations.


However, according to some commentators it seems that this move may have been one of pointless delay, rather than tactical retreat.


Following numerous high profile data breaches, and the uncovering of shady data-sharing practices there is building evidence that the US will itself move towards GDPR-style regulation. As such, US organisations that already comply with European data protection regulations are positioning themselves as one-step ahead in the inevitable march towards tighter regulation of personal information across the world.


So what’s the evidence that the US may be following in GDPR’s footsteps? Well, lawmakers at State level are already making their stance clear…


California as a test case?


In June 2018 the California Consumer Privacy Act was passed, and will come into force in January 2020. While not as stringent as GDPR, it will place responsibilities on businesses with over 50k customers in California to apply certain GDPR-like processes, and is seen as the first step towards a European-style statute in the US.


It seems that such law-making is welcomed by consumers – a profound shift in cultural attitudes that could well drive stricter controls.


In March 2018 Cambridge Analytica was exposed as being involved in harvesting private information from Facebook to aid political campaigning.


Following this and data breaches in other financial institutions, 94% of American consumers reported being generally concerned about their data and 57% said that the scandal made them even more concerned about their data privacy and security than they were before.


The Cambridge Analytica scandal fed US consumers’ growing distrust and concern around how businesses are using personal data. A global report on attitudes to data privacy showed that those in the US were the most concerned about online privacy, and the least happy with the amount of personal information organisations had access to.


Put simply – US consumers are becoming more aware and more concerned with how their data is used, and with every news story of data breach or misuse, this opinion hardens.


In fact, 68% said they would welcome similar GDPR laws in the US, to give individuals greater control over their data.


Of course, there are also those that argue that the US is far from following Europe’s footsteps. With a powerful tech lobby active in the US’ halls of government, alongside the trials of getting any such complicated law through Congress, there are those that doubt that public attitude will spur stricter law-making in this area.



One key issue raised by those who are sceptical about a US GDPR is the lack of an effective agency to carry regulatory responsibility. Unlike the UK (which will retain GDPR post-Brexit) the US has no Information Commissioner’s Office, i.e. no single entity that can be charged with cross-sector data protection enforcement.


Can the US really function in a data-bubble?


Whether or not we will see the US adopt a stricter legislative stance on data protection, organisations cannot ignore the power of consumer perception or the effects of global responses to these concerns.


For example, Brazil’s General Data Protection Law, or GDPL echoes much of the GDPR and gives organisations doing business there until 2020 to ready themselves for compliance. For ambitious US businesses seeking growth in global markets does it really seem sensible to simply cut ties with countries, or indeed neighbour States that adopt stricter regulation?


Similarly with consumer attitudes shifting across the globe, shouldn’t US organisations be considering the reputational benefit of being proactive in adopting fair and stringent data protection practices.


Many commentators go a step further, and describe the business benefits GDPR compliance can have. From better, smarter data management and analysis to improved customer loyalty, and better ROI on marketing the benefits of being GDPR compliant by choice, rather than by force are numerous.


US businesses could indeed wait to review their data protection culture until the law forces it. In doing so, however they need to question whether their customers and partners will already have left them, and their business far behind. When competition for customers is fierce, competitors will move in where they see weakness. With a spotlight now firmly on data protection as a measure of good business practice you can be sure your competitors are seeking advantage.


Tenax are experts in cross-border compliance in data protection. Speak to our experts today about how your business can benefit from GDPR compliance – and how to get there.