For many, the first months of the year often mark the beginning of travel planning. As technology evolves and data suggests around 1.4 billion people travelled globally in 2024, the hospitality industry continues to embrace innovations to improve operations, such as check-ins, booking flights and hotel reservations. However, this increased reliance on technology also increases risks to sensitive personal data, particularly with the increasing use of AI tools in customer engagement. Moreover, evolving privacy laws and increasing scrutiny of how companies store, share, and collect customer information mean businesses must protect personal data collected from their employees, contractors and customers who rely on their services.
Complying with Data Protection Laws while adopting new technology
The hospitality sector now relies heavily on digital processes like website cookies for tracking user activity, social media campaign analytics, online/mobile booking systems and human-free check-ins. As technology increasingly becomes smarter, personal (including sensitive) data requires ever tighter safeguards and protection. Most businesses will have some form of cybersecurity processes in place, but what is often more imperative is having a privacy team that understands the varying international regulatory requirements and how the systems and tools used by the business comply with these.
An often missing link is the support of a Data Protection Officer (DPO) who can interface with data protection authorities, keep the business abreast of emerging privacy laws or updates, and provide critical support during incidents involving personal data.
Ensuring cross-functional teams include privacy teams
While not always the primary focus for hospitality businesses, particularly during peak periods, compliance is crucial in an industry ranked as the third most targeted sector for cyberattacks. Several incidents highlight the associated risks and penalties to key players in the hospitality industry: the MGM Resorts International breach in 2019, Marriott International’s in 2018, and the Hilton in 2017 show companies can lose goodwill for non-compliant data processing.
One of many ways the DPO can support the privacy team is by conducting regular Data Protection Impact Assessments (DPIAs), implementing Standard Contract Clauses (SCCs) where required for international data transfers, and overseeing regular audits of the existing privacy programme. Regulations are continually evolving, requiring constant improvement and monitoring to ensure compliance, to help build customer trust, and protect sensitive information.
Cross-Border data transfers: Divergent regulatory complexities
With many individuals booking international trips at any one time, expertise in navigating divergent regulations is required, particularly as global privacy laws tighten. For example, the GDPR imposes additional rules for ‘third countries’, while China’s Personal Information Protection Law (PIPL) on international data transfers imposes noticeably stricter rules than the GDPR’s as it mandates data to be stored locally. More jurisdictions are enacting data protection regulations to help, which can seem like a maze of regulations to be simultaneously compliant with as individuals book trips in one country and travel to another.
A DPO with global privacy laws experience can ensure the dots are joined in and between the markets the company operates in, which helps protect the customer as well as the business. Their expertise can also help the technical team enhance data security, ensure guest data rights are effectively managed, and the relevant rules are followed on how data is retained and stored.
As the hospitality industry and technology evolve, data’s role will continue to grow in importance and implementing strong governance will be imperative. As a provider of global DPO services, HewardMills’ experienced team is well-positioned to support businesses to comply with international data privacy regulations by implementing privacy frameworks that can adapt to evolving business needs without compromising security.
If you would like to discuss this topic or anything else data protection and privacy-related, please contact us at dpo@hewardmills.com.
