The hospitality sector was one of the industries that suffered the most throughout the Covid-19 pandemic. Not only did businesses have to survive through lockdowns and deal with many requirements to be able to reopen.. but Brexit too added additional challenges for the industry. Now that hotels, restaurants and pubs are reopening, the main focus is to get up and running again. As a result, certain business management areas are taking a back seat, including data protection and compliance management.

While it’s understandable that many businesses are still in a difficult economic situation, how much of a risk could a lack of focus on data protection compliance pose for the hospitality sector ? In this article we’re analysing the role of data protection compliance in the hospitality sector after the Covid-19 lockdown and assessing potential risks in the coming year of 2022.

For over a year, hospitality businesses were shut down and left without any income streams due to Covid-19. On top, Brexit added another strain as many foreign workers left for their home-countries which led to a serious labour shortage. Now coming out of the pandemic, businesses have two main concerns: (1) no. of room & table bookings and (2) finding and hiring talent.

Marcolette Anastasi, DOF at the Royal Lancaster Hotel in London says “The hospitality sector has lost many workers due to Brexit. And for many hiring talent is a top priority”. However, hiring local talent is no easy task. She adds “there is a lot of work to be done to make the hospitality sector the industry of choice to work in”. Known for lower salaries and tough working hours, the demand for talent is changing the industry and employees have the upper hand in aspects such as negotiating their salaries.

While this change in the industry may be beneficial in the long term, at this point it makes many struggle with the situation. In April 2021, the hospitality sector reported a £80.9bn loss of sales in a 12-months period which represents around £220 million of sales lost every day during that time period. Since businesses started to open up again, the numbers indicate that the hospitality industry is starting to recover and consumer spending has increased, but it’s still a staggering 70% lower than pre-pandemic levels compared to July 2021.

“That being the situation, data protection and compliance with the GDPR is on the back burner and it’s unlikely to change any time soon”, comments Anastasi.

DLA Piper has been launching every January an analysis on the overall development of the GDPR and it is expected that they will do so again in January 2022. We will update this article accordingly by the time, to keep the information relevant for the industry.

Pre-pandemic, the hospitality sector took a relative generic approach to GDPR compliance. “Some businesses managed better than others, however it was mostly, and still is, treated as a tick-box exercise”, says Anastasi. She explains that many perceive the regulation to be not very “hospitality friendly”, because customer data is important to be able to offer an excellent service and the GDPR puts limitations to that.

Across Europe, hospitality is the one sector that has received the smallest number of fines thus far, but the total fine value is bigger than in any other industry and the UK is leading the way with two being amongst the largest fines ever issued: British Airways (originally £183 million fine) and the Marriott Group (originally £99 million fine). Albeit authorities took a more lenient approach and the fines were drastically reduced due to the pandemic, the final amounts were still hefty with a payment of £20 million from British Airways and £18 million from the Marriott for the reported data breaches.

Whether or not GDPR enforcement in the sector is going to change soon is yet to be seen. But there are signs that suggest the Grace Period given due to Covid-19 is over and authorities prepare for stronger and stricter enforcement.

Since taking effect in May 2018, the number of GDPR data breaches reported grew in the double digits year on year, with the aggregate daily rate of breach notifications in UK and Europe experiencing a 19% increase from 2019 to 2020. It is likely that it will be the same for year 2021.

Consumer awareness is rapidly picking up and people are making use of their rights under the GDPR.

As of writing (November 2021) the average waiting time for the Information Commissioners Office (ICO), the UK data protection authority, to respond to a data breach complaint is about 14 weeks. This puts into perspective how many cases the ICO is dealing with and probably also how they’re understaffed to manage the amount of data breach complaints coming in.

Thus far the ICO has issued 77 fines since the GDPR and PECR took effect. This doesn’t sound like a lot and companies may be inclined to believe that they won’t be affected. However, 63% of all UK fines were issued in 2021 alone, and the year isn’t over yet.

Taking a closer look, a lot of the recent UK GDPR and PECR fines were for unsolicited direct marketing communication where individuals haven’t given their consent to receive marketing calls or emails. Albeit there are already many options to manage consent, it seems businesses are still willing to take the risk and contact individuals without it.

Looking to our neighbours in Europe, a lot of the fines were related to data breaches around the transparency principle of the GDPR. This covers for instance overly complex privacy notices or on the other end of the spectrum insufficient detail, lack of accuracy and missing information at the point of data collection.

Ewa Kurowska-Tober, Global Co-Chair of DLA Piper’s Data Protection & Security Group, said in context of their last report “Regulators have been testing the limits of their powers in 2020 issuing fines for a wide variety of infringements of Europe’s tough data protection laws. […] Given the large sums involved and the risk of follow-on claims for compensation we expect to see the trend of more appeals and more robust defences of enforcement action continue”.

While statistically speaking the likelihood of being fined as a medium sized business is still relatively low in some EU countries and the UK, for industries recovering from Covid-19 and Brexit, a data breach could be the final blow.

The financial burden is not the only risk that comes with a data breach. The Marriott has experienced a great reputational damage and, as Kurowska-Tober was forecasting, is still dealing with class action for compensation from customers who were affected by the data breach.

There are also other punitive measures regulators can take which can cause a disruption to many organisations, such as suspending data transfers altogether if considered unlawful. For the hospitality sector, this could mean stopping entire operations used for property management and customer service depending on the circumstances.

Businesses had no revenue in over a year and all of a sudden they were asked to invest into a variety of measures in order to be able to open again, ranging from space dividers, disinfection stations to working with new technology vendors for contactless orders, payments and vaccine checks. Technology adoption experienced a real push in the rather traditional industry. A recent research From Agile to Fragile: How to Navigate the New Era of Hospitality conducted in outlets in the UK, Europe and the USA, found that since the first lockdown in 2020, 70% of businesses have rolled out new or updated digital tools.

However, due to the circumstances, little to no due diligence on data protection and security was conducted.

“Already cash-strapped, businesses only concern was ‘I need x to open again, where do I get it and what is the cheapest option?’ As a result, businesses didn’t really even ask the question of data protection when sourcing new vendors for digital solutions.” says Anastasi.

Under the GDPR, data controllers have a responsibility to check new vendors against compliance and to ensure that personal data is handled properly. While many of the vendors may have taken sufficient measures to protect personal data processing on their systems, the main responsibility sits with the data controller in case something happens. Ironically, with the government requiring businesses to implement solutions for greater protection against Covid-19, it increased potential risks of experiencing a data breach.

While the industry was forced to adjust and digitise parts of the customer experience, areas that really would benefit from a technology upgrade fell short.

“IT investment in the hospitality sector has changed over the last decade but not as much as other industries” comments Anastasi who has worked in finance in the hospitality sector for more than 15 years. “If budget is available it’s rather used on supply of goods and new furniture, IT comes at the very end.”

Legacy Property Management Systems or PMS is one such example. There have been a few key players owning the market but these systems don’t support GDPR compliance management.

Changing the Property Management System would require a big investment. Money businesses don’t have. And if it’s not rogue, why fix it? A strategy much followed in the industry for IT investments according to Anastasi, “and many executives in the industry do not always fully understand the benefits of technology”.

Further, with new systems and tools, training is required. According to the From Agile to Fragile research, 34% of businesses stated resistance to change as a challenge, while one-fifth (21%) said their front-line teams lacked the capability to implement change, and a similar number (23%) felt customer-facing staff didn’t understand the 12-month plan for the business.

Limited IT budgets and reluctance to invest into new technologies, unless really necessary, push data protection and security to the end of the priorities list.

It is a commonly known fact that the greatest risk to experiencing a data breach is human error and the hospitality sector is no exception. “Often incidents happen with good intention. For example, the reception takes notes on a customer’s preferences without their knowledge and this data is then being carried around and distributed within the hotel.

“Most of the time it’s the people who have the least amount of knowledge about the GDPR who deal with the largest amount of customer data every day.”

The Agile to Fragile research found that 41% want to give their front-line teams ​​greater decision-making powers but it seems when it comes to compliance management there is a lack of support from leadership teams in the industry to convey data protection principles into day-to-day operations. “At the moment, I’m not concerned about the calls I do receive from front-line staff about data protection related matters, I’m concerned about every time I do not receive a call”, says Anastasi.

Proper training can help mitigate the risks and at the same time help build trusted relationships with the customer.

With the hospitality sector dealing with front-line teams that have a limited understanding of data protection best practices, little budgets for data security and protection and no procedures for vendor due diligence, it seems a perfect storm is cooking and it’s only a question of time until the hospitality sector will be hit with the next data breach scandal.

Anastasi predicts that hotels will postpone investment into data protection for as long as possible and with GDPR compliance it will go either one of two ways: “either hotels will get fined eventually because they experience a data breach or something big will happen that drastically changes perception on the importance of GDPR compliance.

“As of now the risk of getting fined is perceived as relatively low. A harsher approach to the GDPR would get people annoyed but you need buy in. If, for example, GDPR non-compliance could lead to losing your business licence, it would be treated equivalent to how food safety or health & safety standards are treated in the industry. No one would question the need to comply with the GDPR, because the stakes of losing your licence are too high.”

For now, no such change is on the horizon and so businesses are left to assess on their own the risk of experiencing a data breach and the potential impact it could have.

A main challenge, and not just for hospitality businesses, has been operationalising the GDPR and making it part of the day-to-day business. This becomes increasingly difficult with limited budgets and resources. However, Anastasi believes there are simple steps hospitality businesses can implement already.

“Many in the industry are in the process of hiring new talent, and as part of that process, those hires will need to go through training. Include data protection management and awareness training as part of your training programme. The current situation is tough, but you need to train your staff anyway. ”

In addition there are software solutions that can help businesses streamline and centralise their compliance management. These solutions can support with having an automated process to assess technology vendors against certain security standards as well as developing a plan for investments into data protection and security management to reduce data breach risks and prepare for the future.