Even as the Indian Hotels Company Ltd. announced updates to its privacy policy before the May 25th deadline for General Data Protection Regulation (GDPR) compliance, the Indian hospitality industry is still struggling to comply with the regulations. Barring the Indian Hotels Company Ltd. or The Taj Hotels and Leela, none of the other hotel chains seem to have made the GDPR regulations.
The EU GDPR was introduced on 27 April 2016 with the aim to fortify data protection for any kind of EU citizens, preventing the misuse of Personal Identifiable Information (PII). It is expected to revolutionize data protection laws across the EU. Its implementation had been given a two-year time, the completion date being 25th May 2018, so that organizations the world over can understand and steadily adapt to it in order to avoid heavy fines that would result from non-compliance.
The GDPR impacts not only businesses within the EU but also global businesses that have any collaborations with EU. For example, India has a substantial marketplace for the ITeS, BPO, and pharmaceutical industry in Europe. According to PwC India, “The size of the IT industry in the top two EU member states (i.e. Germany and France) is estimated to be around 155–220 billion USD.” This highlights the significance for Indian companies to comply with GDPR. After all, non-compliance could result in penalties of 20 million EUR or 4% of global turnover. That could be devastating for any company.
New Alliance between Netherlands and India Seeks to Boost Investment in Solar Energy
The hotel industry, by nature of its service, finds itself in possession of a horde of personal data belonging to their guests. However, in accordance with GDPR guidelines, hotels might have to delete certain information if requested by the guest.
As was revealed by the Hyatt hotel data breach incident in October 2017, hotels are vulnerable to content leaks, which can impact customers as well as the hotel’s reputation. A payment systems breach at the Hyatt Hotels Corporation exposed customer credit card data from 41 hotels in 11 countries globally. The breach was discovered in July, but Hyatt was only able to inform customers in three months.
The Taj Hotels updated its TAJ Hotels Data Privacy Statement to highlight the changes they have brought about.
“This privacy statement describes how we collect and use your personal information and data, in accordance with the EU GDPR. It applies to all guests and visitors, known through this document as “data subjects”. The IHCL Group is a “data controller”. This means that we are responsible for deciding how we hold and use personal information about you. We are required under data protection legislation to notify you of the information contained in this privacy statement,” the statement said.
According to ET, prominent hotel chains such as The Oberoi Group, Marriott, Lemon Tree Hotels, and ITC Hotels have not commented on the subject, though Hilton has updated its privacy policy in keeping with GDPR. “We are aligned with the regulations and are processing and updating our systems and operational matters. We are in touch with our EU clients and customers,” a Hilton told ET.
ET quoted Mandeep S. Lamba, who stressed how important GDPR compliance was to hotels, “The protection of personal data received either for reservations or for payment of hotel bills or any other purpose has to be fully protected in accordance with the GDPR. If a customer wants his/her data edited or deleted, the hotel must have the ability to do so and to provide a complete trail and evidence,” he said.
India’s weak digital infrastructure threatens hospitality industry
However, all hotels have not been so prompt with updating their privacy policies.
“While the larger organized hotel companies have taken cognizance of the GDPR and are acting to ensure compliance, the smaller companies are the concern and have not shown the necessary agility. Most people are not realizing that while this is an EU regulation, it has ramifications across the globe for any company that has gathered personal information of any EU resident while the resident is within the EU geographical region. This means that any hotel bookings taken for EU residents makes any hotel or travel agency subject to GDPR and the ramifications of any breach of the same,” Lamba told ET.
According to ET, Rana Gupta, VP, APAC, sales and services, identity and data protection (enterprise and cybersecurity) at Gemalto explains that GDPR does not apply if a company only processes personal data outside the EU and does not offer its hospitality services to EU member states or tracks them on the internet. However, if the company has a website with the ability to translate into European languages, and uses search optimization engines that show up as options targeting EU domains used by EU travelers, then GDPR applies because this indicates that the company is offering its services to EU members.
Apart from hospitality, the Indian IT industry must also watch its back and can expect many changes in the environment of their products, since Europe is its second-largest market after the US.
