With the enforcement of GDPR less than 48 hours away, the hospitality industry has had a big job on its hands to catch up with the changes in requirements. By the very nature of the industry, a Venue wouldn’t want to “duck” the GDPR requirements by excluding EU citizens, and as such, all hoteliers are affected, irrespective of global location.
There’s been some great work carried out by the industry, particularly the whitepaper produced by HTNG that provides context, clarification and guidance (as much as is possible with any new Regulation!), and we recommend reviewing their extensive work as part of your assessments.
Identifying (and categorising) the personally identifiable information (PII) that you processes across all systems should be the starting point, but it is then important to determine your role as either the Data Controller, a Processor, or a sub-processor.
To do this across all of the business systems is complex and a significant project for any organisation (having done so within Airangel, trust me, I have great sympathy and empathy!), and understandably, the Guest WiFi system seems to have been a relatively low priority for many, assuming that the provider “will have that covered”.
However, all may not be as it seems at “first glance” and we are still receiving queries from Venue Operators who are trying to establish who is the Data Controller for the Guest WiFi system, something that should have been considered at the outset of the data protection audit and impact assessment.
In very simple terms, the test of this is to confirm who decided what data to collect, and how it will be collected and used – who determined the “purpose and means”?
So, who are you within this relationship?
If you as the Hotel GM or Marketing Manager have decided what that guest will need to do to get on your WiFi, what data you will collect and how it will be used, then you’re very likely to be considered as the Data Controller. In this scenario (typical within the Airangel ecosphere), then Airangel will be classed as the Data Processor, as we do not own, access or dictate the use of that data othere than for support purposes. So thats a pretty clear and distinct relationship, that is easy to understand and communicate to your guests within Privacy Notices and Terms of Use.
If you’re the GM within a Venue and the portal design, and user authentication journey has been “sent down from upon high” by the Global Hospitality Group, and particularly if the journey involves a centralised authentication requirement, then things could be a lot more complicated. Depending on who controls what is done with the data, then it may be that the Hospitality Group is the Data Controller, or, if you have an ability to use that data for your own purposes as well, you’re likely to be viewed as Joint Controllers.
Similarly, if you have bought in a Guest WiFi service from a third party Operator, and that 3rd party controls the sign-in process, but you have access to or use of that data, the same situation may also apply. If its just marketing data that is passed to you by the Operator, then it may be that this can be covered off within their own terms of use, so long as clear consent has been given to allow the data subjects PII to be shared with third parties (you, in this case).
Summary
The long and the short of it is that its often more complex that you may at first think, but it’s imperative that you have a very clear understanding of your role, and therefore GDPR responsibilities and also that of your data processors.
Our own GDPR project is now almost 2 years old, during which time we have evolved our readiness position, and now have documentation, processes and supporting documentation that can assist in your own GDPR compliance project.
