The Data You Store Can Break Your Guest Experience: Here’s a Quick Guide on How to Keep Information Safe

By making your data a priority, you are putting integrity, transparency, and trust at the core of your organization and guest experience. Here's a quick guide on data privacy and information security for the hospitality industry in the new era of travel.

2022 was seen as a year full of hopes and expectations for travel and hospitality. And the predictions have proven to be true. Based on our latest research, travel is rebounding with the latest data showing that some countries may come close to or even exceed the pre-pandemic numbers.

With more travelers hitting the road, there is one thing that can’t be overlooked: data privacy and information security. What changed? What’s the main challenge for hoteliers when it comes to keeping data safe in this new era of travel? 

How data privacy & information security can make or break your guest experience 

Building guest experience goes beyond great customer service, beautiful location, and nice amenities. Data privacy and information security are one of the building blocks of a guest relationship based on trust. Just imagine experiencing a data breach where thousands of your customers’ data is exposed. Credit cards, phone numbers, emails…when sharing personal data, guests have given a token of trust to your organization, and this can be lost in an instant if such events occur.  

The risk of a data breach is very high for the industry, hospitality being the third most targeted sector for cyberattacks. Hotels, accommodation units, and destinations collect, process, and store a massive amount of personal, sensitive, and identifiable information of their customers, employees, and partners. This can include phone numbers, email addresses, card details, addresses, etc. This data can lead directly to something called Customer Personal Identifiable Information (CPII) and is among the most common type of record loss found across 44% of data breaches, according to IBM. Each damaged record comes at a massive cost for organizations. It is estimated that the cost per record in case of a breach can go up to $180.  

Managing a data breach comes at a huge price - the average cost per breach may rise to a whopping $ 4.16 million. These costs, as well as the risk of being exposed to a breach, are increasing on a yearly basis.

 

Keeping data policies consistent with the current staff shortages

Making sure that data privacy and information security policies are implemented on a daily basis may be especially difficult in this period when staff shortages have hit record levels worldwide. 

As the above stat shows, it is a major challenge for companies to keep data secure due to a lack of qualified staff. So how do you even start with infosec if you have employees quitting after 2 or 3 weeks? Here are a couple of ideas that can help you begin the process: 

Implement an internal or external audit to have a clear understanding of where you are.  

Starting with an evaluation of the current situation is a must. Whether an internal or external resource is performing the audit, it is crucial to ensure impartiality and objectivity throughout the entire process. You want to make sure that this audit will help you fix current issues and improve your framework. Look at your data processing and storage systems and at how your staff uses these and other digital systems. Think of what you want to achieve by improving data privacy and information security and especially how you will do it.  

Another auditing tool that will help you identify any cyber risks is the PEN Test. A penetration test is a series of simulated attacks,  similar to those hackers would do, which will help identify security vulnerabilities related to mail, web servers, internet routers, firewalls, etc. These are usually performed by a team of information analysts on a yearly basis. 

Team up with an external expert to create, manage and implement data privacy and information security policies. 

An external expert can bring a lot of experience in designing, implementing, and evaluating data privacy and information security systems. It can also identify your weaknesses and strengths when it comes to keeping the data secure. However, one person won’t solve it all. Ideally, this expert would work directly with someone from your organization. Having at least one internal resource dealing constantly with that will ensure that the changes you implemented will have a better chance to stick. Plus, all the knowledge coming from external sources can be turned into an internal asset. 

Make sure your practices adhere to international standards and regulations.

There are several international standards that are key when it comes to data privacy and information security. Here’s the bad news: unfortunately, each region can have a different set of standards. If you’re managing multi-properties across the world, you will have to adapt your standards based on what’s required for each region. Here are some of the essential standards and regulations: 

GDPR  - General Data Protection Regulation

The General Data Protection Regulation is Europe’s data privacy and security law. Put in place in 2018, it is among the most strict and detailed regulations worldwide in terms of data protection. It applies to all organizations that are doing business in the EU and that are dealing with data coming from EU citizens.  If you’re not GDPR compliant, you risk being fined, and the fines are very high. This is not an easy read, and especially, not an easy implementation process - we recommend doing it together with an attorney or a Data Protection Officer.  

GDPR – 5 Last Minute Things That You Need To Do

PCI DSS  - Payment Card Industry Data Security Standard

PCI is a standard aimed at preventing any breaches related to card data and payments. You can start by completing a self-assessment questionnaire, available here, to evaluate your current status. The next step is to make sure that you use PMS or a hotel payment processing solution that is PCI DSS compliant and certified. They should provide an Attestation of Compliance to prove that.  

ISO 27001 Information Security Management

The ISO 27001 Standard aims to support organizations in designing, implementing and evaluating their information security systems. This is not a compulsory standard - there are organizations that choose to get certified to prove they implement best practices for their customers or suppliers. Whether you want to be certified or not, ISO 27001 offers a set of measures that will help you put in place a standardized framework for information security.

Train your staff on the essentials of data privacy & information security.

Data privacy and information security involve any member of your team that has a work email address, that uses the office WiFi or cable internet. Everyone from the kitchen staff to the receptionist should receive a certain amount of training related to how to make sure they detect phishing emails, what websites are accessed at work, and what types of external devices can they plug into office computers. Of course, the level of information will be different for each employee, depending on how much access he or she has to various systems.

Train managers, informal employee-leaders, and highly engaged employees on best data privacy and information security practices.  

To make sure best practices are followed, identify informal employee-leaders and highly engaged staff to make them a champion of information security and in this way, be an example for the other employees. 

Whether you plan to start or are already implementing policies to secure your data, you may find it a difficult process: making sense of all the regulations, figuring out the best way to implement measures that stick, and making sure all of your staff has a certain level of training. Don’t give up! By making your data a priority, you are putting integrity, transparency, and trust at the core of your organization and guest experience.