“Top Management”
GDPR: How Not to Do It
The deadline for European companies to adapt to the new General Data Protection Regulation (GDPR) is rapidly approaching on May 25th. This marks the beginning of a revolution in how citizens interact with companies.
Despite the natural inclination to view this new reality negatively—more regulations, more bureaucracy, increased scrutiny—I believe it is more than just legislative musings from bureaucrats in Brussels. The GDPR is merely restoring balance to the relationship between companies and individuals regarding how their personal data is collected and used.
First and foremost, the GDPR ensures our conscious choice to provide or withhold our data, without pre-selected tick boxes or fine print hidden in the terms & conditions. It also grants effective control over the data for consultation, editing, portability, or deletion. Furthermore, it opens the door to the valuation of this data in the market. If, in the old reality, a company like EDP turned my data into a commodity for telecommunications providers, why should I offer it without compensation?
Despite the Regulation being in effect for almost two years—May 25th only marks the end of the adaptation period—it’s surprising how many companies are just now realizing the need to act. If you think this is a typically Portuguese attitude, know that I’ve had contact with units integrated into international chains, whose major complaint is the lack of directives from the parent company. Surprising, given the importance of their loyalty and CRM programs.
Unfortunately, like in all new and complex processes, there are several misconceptions that can lead to wrong decisions when addressing the GDPR. I highlight two.
Misconception 1: “The world will end on May 25.”
It won’t. Just as there was a time when one could smoke freely in restaurants—or even in cinemas—or travel by car without a seatbelt, societal evolution in knowledge or mindset led to moments of disruption that we now accept as the new norm.
We won’t stop gathering information from guests, personalizing stays, or sending newsletters. And it won’t all happen on the same day. The new ways of working will be internalized gradually by employees, IT platforms will evolve, and the supervisory authority won’t hit the streets on May 26th conducting inspections and issuing fines.
Do not ignore that this exists. Do not postpone. But there is also no need to panic.
Misconception 2: “This is an IT project. Or a legal one. Or a training initiative.”
The most common mistake is not seeing the GDPR as a process that spans the entire company or property, but rather as something specific to a particular functional area – either the legal department because it’s a regulation, or IT because it holds the data, or marketing because it communicates with customers. Contributing to this compartmentalized vision are undoubtedly the dozens of companies in these areas that—legitimately—see the GDPR as a new source of revenue for their business, be it in law, IT, training, or auditing.
As a transversal phenomenon—collection and management of personal data occurs in all departments, from operations to human resources, through marketing and procurement—GDPR requires a project approach that brings together five distinct competencies:
- Regulatory – Absolute mastery, from a legal perspective, of the Regulation and other existing legislation.
- Procedural and documentary – It is not enough to understand the law but also how internal procedures need to be adapted to comply with it.
- Operational – If you put consultants to work without knowledge of the reality of a hotel, you’ll end up with beautiful procedures that no one can follow.
- Technical – To ensure adaptations in IT systems and procedures.
- Project management – In a change process of this magnitude, professional project management is essential, ensuring coordination and alignment of all.
In summary, my recommendation is to approach the GDPR for what it is: a disruptive change, that can easily be managed with the right methodology and support. Do not waste time and do not try to simplify what is naturally complex.
A CONTRIBUTION FROM…
Nuno Rosinha | Specialist in the General Data Protection Regulation
What are the main challenges of the GDPR in the hotel industry?
The challenges vary depending on the hotel units’ size. National and international groups already have information management efforts on the ground, know their customers, often personalize offerings, and have a greater capacity to absorb new rules. For them, the main challenge is to continue deepening customer knowledge while complying with GDPR requirements. Small and medium-sized units, which make up the majority of the industry, are much further from this reality, primarily operating online, having little awareness of risks and the potential associated with customer data. With lower investment capacity, they will find it more difficult to adapt.
What are your recommendations for hotel companies?
The first recommendation is not to look at the GDPR solely in terms of cost and administrative and bureaucratic aspects. Analyze it from an opportunity perspective, to create or improve data management processes that allow better understanding of customers and the creation of a differentiated offering. The second is to approach the subject from an integrated perspective, putting business and operations above all else. Creating perfect procedures from a formal or legal perspective, but that do not consider the reality and needs of those who operate the hotel daily, is useless. When seeking help, put these concerns on the table and work on a plan that provides answers.
Written by Filipe Santiago
March, 2018
This article was published in Publituris Hotelaria as part of the “Top Management” series. You can access the printed version here.

