GDPR vs. Hotels – A cybercriminals paradise

Pete Hannah, UK and EMEA regional director at ZyXEL

Hospitality is one of the most vulnerable sectors when it comes to data threats. According to Verizon’s data breach report, the hotel industry is among the highest sufferers of data breaches across any sector, due to the highly desirable nature of the information that it processes. If a hotel has inadequate data protection policies and practices in place, staff will unwittingly be giving cybercriminals easy access to guest names, addresses, mobile numbers, card details, passports, driving licences, car registration plates, hotel room numbers and planned duration of visits – to name just a few. If guests need to provide personal details to access the hotel’s WiFi, their email address and password will also be at risk.

But what are the consequences? By accessing personal guest information, a cybercriminal can gather everything they need to clone someone’s identity, access their financial details and even physically access their home - making hotels a hot spot for cybercriminals.

But the hospitality sector is not alone and is just one example of why the EU General Data Protection Regulation (GDPR) has been developed - to ensure that adequate data protection is incorporated into the process of collecting and maintaining personal data, no matter your sector. With the GDPR compliance deadline on May 25th, many organisations in the IT industry have been preparing for almost two years. However, other industries - including the hospitality sector - are only just beginning to think about their game plan.

If it’s going to be compliant, the hospitality sector must have data protection at the forefront of its mind. Failure to do so post-May 25th, could result in penalties related to data breaches starting at €10 million and rising to as much as €20 million or 4% of a business’s annual turnover, depending on which is higher . Enough to signal the end for any small hotel owner.

With less than a month to go, the race to get it right is on ...so where do we start? The best place is with a security audit, to review all current practices to ensure they are fit for purpose under the forthcoming regulations. The following checklist will help hospitality business owners to know what to look for and what steps to take, to ensure compliance:

1. Regularly change passwords for admin logins. This should be standard protocol but is often ignored by hotel owners and a basic data security error, which if not followed could give cybercriminals easy access to your systems and databases.
2. Keep guest WiFi separate from the hotel’s personal WiFi network [Find out more by reading our case study with The Salutation Hotel. Keeping the two-separate means that different security policies can be applied and there is less chance of a hacker masquerading as a guest in order to access sensitive information.
3. Apply different levels of access control policies and separation of traffic across the network, to keep data separate and as secure as possible.
4. Article 32 of the GDPR specifically addresses the requirement for businesses to provide robust data security, to enable secure access and secure processing of data. Businesses, across all sectors, must have a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring top-level data security. To comply, a high standard of network security must be implemented which will ultimately protect its integrity from the increasingly frequent and sophisticated malware attacks on networks and devices around the world.
5. Explicit consent from individuals must be obtained to collect their personal data – guests must therefore be presented with a clear option to opt-in.
6. The reason for data collection must be clearly specified and communicated to guests so they are aware of how their data will be used, before agreeing to consent.
7. Any personal data processed must be profiled and segmented lawfully, fairly and in a transparent manner. This process covers the collection and manipulation of data to gain insights and produce meaningful information. Processing should not take place for reasons outside of the initial purpose specified.
8. Any data held must be kept up to date and regularly reviewed for accuracy.
9. Data should only be kept for as long as it is needed, for the reason it has been collected for. While, there is no specific minimum or maximum periods for retaining personal data the ICO states: “Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes. In practice, it means that you will need to: •
   • Review the length of time you keep personal data;
   • Consider the purpose or purposes you hold the information for in deciding whether (and for how long) to retain it;
   • Securely delete information that is no longer needed for this purpose or these purposes; and
   • Update, archive or securely delete information if it goes out of date.
10. If individuals exercise their right to be forgotten, they must have visibility of the data stored about them or have any stored data updated by means of a clear process. Any requests by individuals to update their data, be forgotten or for disclosure of what is held about them, must be handled within one month of the request.

Data is at the core of the hospitality industry and will continue to be for the foreseeable future, but just because data is stored electronically, it doesn’t mean it is safe and secure. With company and guest data constantly at risk, data protection requires a succinct strategy to ensure data is protected. Whether it be hard drive failure, loss from natural disasters or malicious cyber-attacks, data protection and the GDPR should be taken seriously. Data loss or incidents have the potential to jeopardise any business and its customers in seconds, so it must not be ignored.