Data Controller – GDPR For Hotels






The Data Controller

The responsibility for compliance with GDPR lies with the Data Controller.

What Is A Data Controller?

If your organisation decides what data to collect, what is to be done with it and how it is to be used.  Then you are a Data Controller.  The ICO will give you a more detailed definition than this, but in essence, if you make the decisions, you are the Data Controller.  As a Data Controller your organisation needs to be registered with the Information Commissioner’s Office (ICO)

In the context of hotel management, your task as a Data Controller is made complicated by several issues:

  1. Hotels make use of a LOT of third parties when it comes to the use of technology for processing personally identifiable information (PII)
  2. The rate of staff turnover in the hotel industry can be quite high.  This means your “organisational memory” for dealing with GDPR responsibilities can be short.  You need to keep reminding people what to do and re-training.
  3. Hotels use a lot of PII.  Plain fact – a reservation contains lots of PII.  Employee records are full of PII.

 Third Parties – Your Data Partners

If you run a hotel the chances are you use somebody else’s technology to help you do so.  For example all of these will probably handle PII:

  • Property Management System
  • Customer Relationship Management System
  • Payment Card System
  • Website
  • Online Booking System
  • Online Travel Agent Websites
  • Channel Manager
  • Email Autoresponder
  • Employee HR System
  • Employee Payroll System
  • Cloud Systems

And then you have to think about the technology you use yourself as part of the processing:

  • Desktop computers
  • Laptop computers
  • Table computers
  • Smartphones
  • Servers
  • Backup drives
  • Disks – DVD and CD storage
  • USB thumb drives

But we’re not finished yet.  People write stuff down too:

  • Reservation cards
  • Registration cards
  • Correspondence records
  • Copies of bills
  • Enquiry records
  • Archived records
  • Notebooks
  • Post-it notes
  • Sheets of paper

As the Data Controller, you are responsible for all the PII processed using any of the above.  Note that this is not an exclusive list, it’s just there to get you thinking.

The Problem With Hotel Technology Partners Is…

If you use a third party to process PII data on your behalf, they will usually be defined as a Data Processor.  GDPR means that there needs to be a legal contract agreement between the Data Controller and Data Processor specifying exactly how the PII data is to be processed.

If the Data Processor deviates from that specification.  In other words, they make their own decisions about how the PII data is to be processed, then they will be defined as a Data Controller themselves.  This is fair.  Think about it:  If you select a data processor and define what you want them to do with PII under your control, you can hardly be held responsible if they then go off and do something else with it.  That’s why you need the contract document.

The problems don’t stop there.  In the case of some of the third parties noted above, your organisation won’t be the Data Controller, you will instead assume the role of Data Processor.  This is the case with Payment Card systems.  They specify what data is to be collected and how it is to be processed.  You just do as you’re told.

Some technology partners will need a Joint Data Controller arrangement with you.  Which will need a contract specifying exactly which party is responsible for what – and what will happen if either party fails to observe their obligations.

It remains to be seen exactly how this will play out.  But it is probable that your Property Management System and the OTA websites will have some sort of Joint Data Controller requirement.  You will need really strong and robust legal advice if you’re entering into a joint contract with some of these large OTA websites.  Their default contracts are unlikely to be written in your favour.

Your Real Problem As a Hotel Data Controller

It is not all about technology.

Investing in the latest software isn’t going to make you compliant.

If there’s going to be a data breach, I suggest there will be a person – an employee – responsible for it happening.

It won’t be deliberate.  It will be a genuine mistake.  An error.  An accident.

Your real problem, as a hotelier, is how you’re going to create and maintain the organisational structure and behaviour to ensure an appropriate response to a data problem?