The Hospitality Industry is reportedly the third most targeted Data breach/hacking sector; after the Retail and Financial Services Sectors who come first and second in regard to this menace.
The significance of the above data breach-risk is highlighted by the recent global massive Data Breach of some Hotel Guests Data Information. Though the Hospitality Industry is still arguably playing catch-up, there are some minimum Privacy and Data Protection Laws and Regulations that every business, especially Hotels, that collects, process, stores and retain any Guest Data must familiarise itself with, and adhere to.
Hotel Guests Valid I.D. Check-in
It is a global, standard practice for any Guest checking into a Hotel or other Hospitality Establishment to provide to such a Hotel a Government-issued Identification Document (“I. D.”) like a Driver’s Licence, National Identity Card, Voter’s Card, International Passport, etc before any hospitality services are provided to such a Hotel Guest. This practice is also in compliance with the Money Laundering (Prohibition) Amendment Act, among other legislation and regulations on this matter.
A vast majority of Hotels also now require their Guests to pay for the services to be rendered by such a Hotel using the Guest Credit or Debit Card details provided also at the point of check-in at the Hotel.
A large amount of private information or data is collected by each Hotel when their Guests provide to the Hotel copies of their public authority issued identification document and credit or debit card details. Each Hotel, as a Data Controller, must, therefore, ensure that in their collection of the numerous Data, they familiarise themselves with, and ensure adherence to the various Privacy Data Protection Laws and Regulations.
Rights of Data Subjects
Data Protection Regulations give Data Subjects, like Hotel Guests, the right to ask questions from Data Controllers or collectors regarding how each Subject’s Data is collected, processed, stored and retained. Data Subjects also have the right to raise objections as to how their personal data are collected, processed and stored. The right of a Data Subject to object to the processing or handling of his or her data must be safeguarded at all times.
Data Controllers further now owe Data Subjects a statutory duty of care when collecting, processing, storing and retaining any Data Subject’s private information. Data Controllers must accordingly now develop security measures that safeguard the confidentiality and integrity of any data collected or processed from any unlawful and unauthorised access.
Data Protection Policy
Data Protection Laws and Regulations now expressly require any person or organisation (“the Data Controller”), like Hotels and other Hospitality Establishments, to ensure that when they collect, process, store and retain the personal data of any person in the ordinary course of their business transactions with such persons, they must ensure that the use and privacy to such personal data are protected and safeguarded from any unauthorised and unlawful use or disclosures.
Accordingly, all Data Controllers are mandatorily required to publicly publish, in a easily understandable language, their Data Protection Policy, which Policy must disclose among other things what constitutes the Data Subject’s consent to the use of such Data, a description of the kind of Data collected, the purpose for the collection of the Data, the technical methods used in processing and storing such data, persons with access to such Data, remedies for any data privacy violation, etc.
In furtherance and adherence to the above statutory duty of care, Data Controllers must also now conduct annual data compliance audits of their Data Privacy Protection Practices; with their Data Compliance Audit Reports mandatorily required to be filed annually, on or before the 15th day of March of each calendar year, with the Data Protection Regulator.
Penalties for Data Breaches
In addition to any criminal liability prescribed by Law, one of the civil penalties for a Data Controller managing more than 10,000 Data Subjects, for a Data Breach, is the greater of a fine of 2% of the Data Controller’s Annual Gross Revenue for its preceding year of operation or N10,000,000 (Ten Million Naira).
For a Data Controller dealing with less than 10,000 Data Subjects, the penalty is the greater of 1% of the Data Controller’s preceding year’s Annual Gross Revenue or the payment of N2,000,000 (Two Million Naira).
Without prejudice to the right of the Data Subject to seek redress from a Court of Law for a Data Breach, a Data Subject can also approach the Regulatory Data Administrative Redress Panel to investigate and proffer appropriate redress within twenty-eight (28) working days of the lodgement of the Data Breach complaint.
Any Data Security Breach has the potential to incur administrative, civil and criminal liabilities. Hotels will, therefore, do well to mitigate if not eliminate these kinds of risk by adhering to the various Data Protection Regulations, some of which are highlighted above.