An increasing number of smart hotels offer guests a futuristic experience of checking into a hotel digitally without the need for a human receptionist. Guests scan in their passport and a QR code to check in and are assigned a room. Where local laws allow, guests may even check in without scanning their IDs by simply filling out a registration form. After their stay, guests can pay by mobile and receive their invoice electronically. Guests can use an app, downloaded and activated, to access their rooms digitally via Bluetooth. This is enabled via so-called door beacons (radio transmitters) that communicate with compatible devices. Once in the room, the guests can connect to devices in the room, such as a smart TV, regulate temperature, set an alarm, and access other services, via app-enabled guidance.
Such processing allows hotels to personalize a service but also enables them to access and collect much more personal data. Given recent massive data breaches in the hospitality sector, hotels that are stepping in this direction need to ensure guests can trust hotels with their personal data.
Since hotel rooms are private spaces, hotels need to implement privacy by default and by design. Hotels must disable by default any personal data collection that is not initiated by the guest or required for their stay – without requiring the guest to take any additional steps. This means that the collection of information by smart TVs, of movements in the hotel room or of voice recordings needs to be disabled unless specifically enabled by the user.
How often have we been in a hotel where the prior guest forgot to sign off from their Netflix or gaming account? Since there may be quite a few services to which the guest had to sign in, the hotel needs to ensure guests log off to prevent any further collection of personal data, accidental disclosure or unauthorized access to their personal data.
Hotels need to be transparent about what personal data they collect and for what purposes before collecting such data. They also need to ensure that they observe basic principles like data minimization.
Even if data protection measures at hotels might be of the highest standards, cyber incidents may happen due to vulnerabilities of third parties that hotels engage in data collection. For example, hotels usually work with a third-party technology company to offer apps that connect guests to the hotels’ services digitally. Hotels need to: 1) conduct due diligence on any such third parties and confirm that their IT systems provide an appropriate level of protection; 2) ensure they commit to contractual data protection obligations; and 3) monitor their compliance regularly.