Today I held a General Data Protection Regulations (GDPR) awareness seminar for members of the Barbados Hotel and Tourism Association (BHTA).
With regards to data security, there are few sectors more vulnerable to data-related threats than the hospitality sector. The volume of processed personal and credit card information being handed over to hotels, restaurants, etc. on a daily basis makes the sector extremely vulnerable. With the enforcement deadline having passed on 25 May, several companies in the sector have not updated their data protection processes, and are at risk for large financial penalties.
The seminar touched on key areas such as the following:
- Major Differences between the Data Protection Directive 95/46/EC and the GDPR
- Overall readiness across the hospitality sector
- Capturing and using personal data going forward
- Consent and contextual use of personal data
- How the GDPR affects repeat business and email marketing
- How the GDPR affects third-party data processors
- The rights of data subjects under the GDPR
- The difference between ‘personal data’ and ‘sensitive data’, and how they should be treated
- Other key aspects of the GDPR such as the Data Protection Officer (DPO), Data Protection Impact Assessments (DPIA) and ‘privacy by design’
- How to update strategies for websites, data governance, and marketing to become GDPR compliant
My takeaway from this session was that many businesses — small to large — have not made any steps to align their operations and processes with the requirements of the GDPR. Several others are defiantly refusing to address privacy and data protection within their organizations. However, what was gratifying is that I received a torrent of emails in the hours and days after from hoteliers, many of them eager to engage subject matter experts (SMEs) to assist in improving their control framework to meet the rigorous demands of the GDPR. Hopefully, this interest and willingness to improve is sustainable. There’s a lot of work to be done!