In my previous post, I listed, without elaborating, what, according to Bob Braun, are the 5 most relevant points for cybersecurity in the hotel industry:

• Compliance is not security ;
• An informed response is better than an immediate response ;
• Credit cards are not the only risk ;
• There is no cybersecurity without taking into account the human factor ;
• A cybersecurity culture is necessary in hotels .

‍

There is no hierarchy in the above points, as they are largely interconnected. Therefore, and because the objective of these articles is to start to shorten the path, I will start with an issue that connects these 5 points in a transversal way – privacy, protection and processing of personal data .

Everyone has heard that a community directive on privacy is coming and that with its entry into force things are going to get very tough – REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND THE COUNCIL . It is clear that with so much information and noise about this subject, some myths have already been born that it is best to unravel:

1st MYTH - It is a directive

No, it's a regulation and that makes all the difference. Translated in a practical way, it means that it comes into force without the need for national legislation (unlike a directive).

2nd MYTH - It only deals with the protection of personal data

It deals with the "protection of natural persons with regard to the processing of personal data and the free movement of this data", therefore, in addition to the challenges of retaining and processing personal data, it also addresses the conditions under which they can circulate .

3rd MYTH - It comes into effect, we don't know exactly when

We know exactly when. Just read Article 99 to find out that it comes into force on May 25, 2018 .

‍

As I suspect that I will deal with this topic more often, I chose to start here, because we only have 16 months to prepare for a fundamental change and, therefore, perhaps it is better to address the challenges imposed and not leave everything until FEBRUARY – MARCH, when finally the press is interested in the subject.

That said, it is important to start by establishing the following assumptions:

‍

Based on the assumptions listed above, it is easy to begin to understand why privacy is a topic transversal to the 5 initial points , and knowing that it applies to the most varied industries, I intend to focus on the Hospitality Industry.

The processing of personal data is currently covered by Law No. 67/98 of October 25th, which transposed, in fact, the community directive 95/46/EC of October 24th, 1995. This Law already establishes that the processing of personal data must be processed in a transparent manner and in strict respect for the preservation of privacy, as well as fundamental rights, freedoms and guarantees , and that “personal data” is basically everything - "any information, of any nature and regardless of the respective support, including sound and image, relating to an identified or identifiable natural person ("data subject"); a person who can be identified directly or indirectly, namely by reference to an identification number or to one or more specific elements of their physical, physiological, psychological, economic, cultural or social identity".

We all know that in the Hotel Industry, a reservation is loaded with this type of data. We also know that there is an obligation to collect data for the Foreigners and Borders Service (SEF) accommodation bulletin. Since the collection for the SEF is covered by law, and is not a problem from the outset, the issue is in storing and processing this and other data, as they must be "collected for specific, explicit and legitimate purposes, and cannot be subsequently treated in an incompatible manner for these purposes."

We also know that most computer systems store this data, as well as other personal data relating to guests' reservations and stays, without them being anonymized after some time. Now, the data collection process in most hotels , even though there is a legal possibility to opt in (often written with double negatives), presents cybersecurity and legal risks . Regulation (EU) 2016/679 recognizes this and imposes important changes to this collection, mainly related to the information that, in this case, a hotel needs to provide to collect the data and the way in which a guest can consult, choose and request removal of this data.

‍

We know all this, however the following questions are legitimate:

• Can a guest be sure that the data provided is only used for the specified purposes?
• Were hoteliers careful and diligent when someone, with or without authorization, entered the system and 'took' this data?

‍

Answering these questions is not easy, nor can we generalize, there is a little bit of everything, but BIG Care , why?

It is easy to understand that credit card data is not the only risk, that even if you have excellent security policies and systems, there can be 'bad luck', and that educating people internally and externally on the topic of privacy is fundamental . Hence the transversality of this theme.

As a guest I often see behavior in hotels - from hoteliers and guests - that in no way contributes to a technologically safe environment. In the time of social networks and social review, so that we can all live with privacy as a fundamental principle, there is still a lot of work to do.

On the other hand, I know that technology advances and as you can read in my colleagues' posts Big Data: The door to the Hotel Management of the Future! and How the Hotel Industry can grow with Data Science , data processing using Big Data is coming to the Hotel Industry . What I want to share is that the rules on privacy, protection and processing of personal data are one of the counterpoints to this innovation that the hotel industry is beginning to adopt.

Let's see: collecting, storing and processing data is no harm . It is an excellent tool for businesses to make management decisions based on information rather than intuition. However, there are risks and impositions that must be understood and met .

‍

Today, using all data available in systems represents a risk that, with Law No. 67/98, may be considered by some to be negligible. However, with Regulation (EU) 2016/679, the global turnover is now considered at a percentage of 2% to 4% up to 20 million Euros for the application of fines .

‍

Therefore, being informed is a crucial part of the equation - knowing what to do, how to do it and what impacts to consider makes all the difference in the adoption of behaviors, procedures and systems.

‍

In reality, this depends on all of us and it is a good principle, as opposed to the idea that it is only the laws that defend us, to be aware that there are ethical and legal limitations to take into consideration in a world increasingly full of 'sensors', that collect millions of data that can be processed very easily. Those who defend us (the first line of defense of which the hotelier must be an integral part) are, firstly, those who can and should be informed, those who consciously seek to understand and make people understand the various frameworks that each technology imposes . Then, there are laws, technologies and institutions.

In my day-to-day life, I am surrounded by sensors, data, information and technology. For me, I hardly see things working without all of this. I understand technology as a benefit, but I always try to understand the how, when and why of its application .  

Therefore, dear hoteliers, use a lot of technology, technology that allows the industry to be increasingly competitive and that provides increasingly better experiences for guests , but with caution, be BIG careful and always be aware of the best way to implement it so that everyone Let’s spend a peaceful night, whether at home or in a hotel.

We will return to this subject more often.

‍