Hospitality and leisure industry: 6 steps to PoPIA compliance
South Africa boasts luxury hotels and resorts, game reserves, wine estates, affordable B&B's, golf courses, mountains, forests, golden beaches. It's no wonder that we are a destination of choice for keen travellers in and abroad.
Be it for work or play, from the moment travellers arrive at your reception desk, their comfort and happiness are largely your responsibility.
That’s not, however, where your responsibility ends. With the introduction of the Protection of Personal Information Act (PoPIA), which comes into full force on 1 July 2021, businesses in the hospitality industry take on a new set of responsibilities to protect their guests’ personal information.
Most of the big players in hospitality in South Africa have already had to deal with the EU’s General Data Protection Regulation (GDPR), which was introduced in 2016 and requires businesses to take measures to protect the personal data of EU citizens.
GDPR and PoPIA are similar, so some businesses will be prepared for PoPIA, while some of the smaller establishments, may not be. But there are some surprises lying in wait for even the big players, despite their international experience as PoPIA has some unique elements not covered by the GDPR.
- Responsibility for booking agents
- What kind of information is this?
- Are we accumulating too much information?
- How secure is this information?
The keen travellers probably made their reservations using an online booking site, such as Booking.com, Lekkeslaap.co.za, or Travelstart. Travelstart, based in Cape Town, describes itself as Africa’s leading online travel agency.
Behind the initial booking site, there may be other parties handling your guests’ information. Under PoPIA, each hospitality player will be responsible for safeguarding the information that all its agents, acting on its behalf, are collecting, and you need to identify all the parties in this chain. If one of your booking agents sells or shares your guests' information to a third party without permission, or starts sending them spam, your business is in breach of PoPIA, as well as theirs.
Your business should have a PoPIA addendum to existing contracts with all its agents and new contracts should contain a PoPIA clause. All those parties need to agree to abide by certain conditions. They cannot be passively “opted in”. A hospitality business is well within its rights to require its agents to submit to an investigation of their systems and processes to ensure they are PoPIA-compliant.
When the travellers made their reservations, they would have supplied details personal to them such as passport or ID numbers, credit card details, telephone numbers, addresses and possibly even car registration numbers. What level of protection does this information require?
PoPIA defines different categories of personal information: personal information (such as ID and passport numbers and credit card details), special personal information (highly sensitive, such as race, health and biometric information), and information that is not personal, so does not fall under the Act. There are more safeguards for special personal information than there are for personal information, but safeguarded the information shall be.
The keen travellers have now waved you a fond farewell (and hopefully left a generous tip). For how long are you going to keep their details on file?
Minimality is key - businesses should not collect more personal information than is required. "Personal information" is defined very broadly to mean any information that can be used to identify an individual person or another business entity. So how much do you really require?
You also need to question why you are keeping personal information (is it necessary for legal purposes?) and if there is no good reason, it must be disposed of in a secure manner. This is important, because under PoPIA, even the keenest traveller has a right to be forgotten.
Taking all reasonable steps to safeguard the personal information in your possession is a critical element in both the GDPR and PoPIA – as the Marriott Hotel Group found out to its cost in 2018.
Marriott discovered that cybercriminals had hacked its global reservation database and accessed customer credit card and other personal details, involving 339 million people. This had been happening since 2014. Marriott was fined GBP18.4 million in October 2020 and a class action-style suit has been launched in the UK. While the cost in money must certainly hurt, a reputational hit often hurts more.
PoPIA requires a business to put in place "appropriate, reasonable technical and organisational measures" to prevent loss, theft or damage to personal information.
- Is this information travelling overseas, too?
- And on the subject of loyalty...
If your hospitality extends to international partners and loyalty programmes, it is quite likely that you are sharing your guests’ personal information outside South Africa. PoPIA has specific requirements for sharing information outside South African borders.
Much as you hope to see the travellers again and remind them of the great time they had with you, or want to entice new travellers to enjoy your generous hospitality, some of the ways you treat returning or new guests need to be handled very carefully from now on.
Unless a person is an existing guest who willingly receives your marketing - under PoPIA, a business cannot send electronic marketing information without first getting consent. Any request for marketing consent must include language that is set out in the Regulations to PoPIA.
A post-Covid, in-PoPIA future
We all hope to travel more, and venture abroad again, once the worst of the Covid-19 pandemic is past. For a hospitality player, the Covid-induced lull may provide some breathing space to get PoPIA compliance in check and, if necessary, take legal advice on measures to put in place urgently.