The “Personal Information Protection Law” is implemented, how hotels can upgrade their data asset management

Slightly dramatic, the data involved in the case originally belonged to S Group, which is also a hotel operator, and M Group acquired S Group in 2018. At that time, the data breach already existed, but it was not discovered until after the acquisition was completed. Even so, Group M still failed to escape punishment. In fact, the ICO originally planned to impose penalties as high as 99.2 million pounds, which was then significantly reduced after the M Group filed a complaint and cooperated with the investigation.

As far as the hotel industry is concerned, every individual hotel (especially high-end international brand hotels) holds a large number of personal information of guests, while the personal information held by hotel management companies is even greater. Once a leak occurs, it often triggers huge Social impact and adverse consequences. Regarding the upper limit of penalties stipulated by the “Personal Information Security Law”, it will be very important for both individual hotels and management companies. Judging from the current market, 50 million may be equivalent to a full year’s operating income of a mid-to-high-end international brand hotel in a second/third-tier city; and 5% of the turnover or more stringent, especially for management companies, many international and domestic The annual profit rate of well-known hotel management groups does not exceed 10%. Once a hotel owner or management company is fined for violation of regulations, its performance will be a very heavy blow.

So, how should hotels manage their data assets and protect personal information in accordance with the law? Below we will analyze the subject of obligation, the definition of personal information, the statutory requirements for personal information protection, and the specific measures for personal information protection.

According to the “Personal Information Protection Law”, whether it is a hotel owner or a management company, as long as the processing purpose and processing method are independently determined in the personal information processing activities, it shall constitute a personal information processor as defined by the law and shall comply with the requirements of the law. Process the personal information held by it.

If this definition is put into the business scenario of the hotel industry, it is not difficult to find that the hotel will be exposed to a large amount of personal information in the legal sense, such as: guest’s name, gender, birthday, ethnicity, ID number, membership number, face Information, fingerprint information, contact information, payment information, consumption information, whereabouts information; in addition, special information such as religious beliefs, special diseases, habits and preferences may be involved when receiving special guests.

The above-mentioned personal information will be included in the protection scope of the “Personal Information Protection Law”. Among them, biometrics, religious beliefs, specific identities, medical and health, financial accounts, whereabouts and other information, as well as personal information of minors under the age of fourteen, are all sensitive personal information, which must be fully necessary, informed and relevant according to law After the individual agrees, it can only be processed under the premise of taking strict protective measures.

It is also worth noting that although the hotel deals more with guests’ personal information, the “Personal Information Protection Law” is not limited to this, and the protection of the personal information of its employees cannot be ignored, especially since many management companies have a large number of personal information. The personal information database of hotel general managers and other executives should also be given enough attention.

First, formulate internal management systems and operating procedures related to the protection of personal information. The above systems at least include: formulating personal information protection guidelines and manuals, clarifying the procedures and requirements of personal information processing, the operating authority and responsibilities of different departments and positions, etc.; establishing personal information protection logs and regular reporting mechanisms; establishing responses to individual rights claims Mechanism; formulate emergency plans for personal information security incidents; establish a personal information security education and training mechanism.

Second, implement classified management of personal information. With the development of technology, the platforms for hotels to process personal information are becoming more and more abundant, including: websites, APPs, official accounts, short video platforms, hotel management systems (PMS), etc., all involving the Internet. According to the “Network Security Law”, the state implements a hierarchical network security protection system. If the hotel is the operator of the relevant network, a series of measures such as rating, filing, evaluation, rectification, and regular self-inspection of its network are required to ensure the security of its network. Since the waiting insurance system is relatively complicated and involves many legal and technical issues, we will write a separate article for discussion in the future.

Third, make necessary upgrades to related software and hardware equipment. The “Personal Information Protection Law” requires personal information processors to adopt corresponding security technical measures such as encryption and de-identification. The “Network Security Law” requires technical measures to prevent computer viruses, network attacks, and network intrusions that endanger network security. The above technical measures depend on the corresponding hardware and software equipment. Therefore, the hotel needs to update and upgrade these equipment regularly to ensure data security.

Fourth, conduct regular compliance audits on personal information processing activities. In the process of hotel operation, financial audit and tax audit are relatively common audit methods. In recent years, compliance audits have gradually attracted the attention of the market. Since compliance is a dynamic process, as laws, regulations, and policies are revised, updated and adjusted from time to time, the requirements of the hotel may also change accordingly. Therefore, it is necessary for the hotel to conduct regular compliance audits to ensure that the hotel is always in compliance with the legal requirements. Operate within the scope to avoid penalties for violations.

Fifth, conduct prior impact assessment on specific personal information processing activities. The Personal Information Protection Law requires personal information processors to conduct impact assessments before handling sensitive personal information, using personal information to make automated decision-making, entrusting the processing of personal information/providing personal information to others/disclosing personal information, providing personal information overseas, etc. . What needs special attention here is that international brand hotels may have personal information transferred from local servers to overseas headquarters servers, which involves the cross-border flow of personal information; more and more domestic brands have been or are achieving internationalization, and they are also facing the same situation. The problem. The Personal Information Protection Law uses a separate chapter to provide for the cross-border provision of personal information. The provision of personal information overseas shall complete a series of procedures such as security assessment, protection certification, and signing of standard contracts established by my country’s regulatory authorities with overseas recipients. In addition, the National Internet Information Office is formulating the “Measures for the Security Evaluation of Personal Information Exiting the Country” and has issued a draft for comments in 2019. Follow-up legislation and law enforcement developments are worthy of the industry’s attention.

Sixth, promptly and correctly handle the rights claims of relevant individuals on personal information. According to the “Personal Information Protection Law”, individuals have the right to know their personal information, the right to make decisions, the right to restrict and refuse, the right to access and copy, the right to transfer (similar to GDPR portability), the right to correct and supplement, and the right to delete. The hotel’s operating standards generally include response and processing mechanisms to respond to guest claims and requests. After the “Personal Information Protection Law” is promulgated, relevant individuals may make one or more of the above requirements from time to time, for which the hotel needs to address personal rights And legal provisions supplement and upgrade the existing processing mechanism.