Business

Tourism Sector in Croatia Not Ready for EU's General Data Protection Regulation

By 18 August 2017

New rules: tourism service providers know nothing about the new regulation and they could be facing EUR 20 million fines.

Twelve billion euros. With this year's revenue growing by more than 20 percent, that could be the total revenue from Croatian tourism, Jutarnji list reports on August 187, 2017.

Its share in the country's GDP could reach 20 percent. Tourism is without a doubt the most important branch of the Croatian economy, so it is logical to protect it, just as every successful company would protect its own business. And we are not doing it. However, changes in EU regulations could change that.

The EU's General Data Protection Regulation (GDPR) will lay down a number of rules on the collection, retention and processing of personal data, and travel agents, hoteliers, carriers and everyone else involved in providing tourist services have not even heard of it. If you try to find any information on tourism in Croatia and personal data protection on the Internet, you will find a single text in which the Croatian National Tourist Board replies to a journalist's question, saying it is ready to implement the regulation, while stating that it plans to assess its impact on the existing data in the following period. So, the CNTB has not yet carried out a performance analysis that would show how the Regulation would affects "existing collections of data", so it can in no way be ready for its implementation.

Irresponsible behaviour when it comes to personal data is not an exclusively Croatian tourism thing. The fact remains that the personal information safety and hospitality are sometimes mutually exclusive, but it can be done, and, starting next year, guests will be expecting it. Unnecessary collection and retention of copies of documents, information on children, home addresses ... All this will have to disappear. The information that is collected must be well-protected, and the penalties will be enormous - up to EUR 20 million or four percent of the total revenue. While such penalties will affect companies, the damage caused by media reports of irresponsible or malicious management of personal data of EU citizens could affect the entire Croatian tourism.

Given the image of a secure tourist destination that we have built, our responsibility is far greater than merely aligning with the Regulation. Croatia should be the leader in the tourist personal data protection and set standards that other EU members would follow. The General Data Protection Regulation was adopted in May 2016, and its full application will start in May 2018. We have had two years to adjust. There are only nine months left. So far, we have done nothing. Manipulating personal data, their malicious use, processing for unauthorized purposes, identity theft, financial damage - all of these have become quite common events related to personal data.

Favourite target

The tourism sector is confronted with a wave of organized crime aimed at stealing and misusing guests' personal data. There are several reasons for this. First of all, the main payment method in tourism is the credit card, which is cyber criminals' favourite target. Furthermore, personal data about who travels where can be of particular interest, and Wi-Fi internet access in hotels is an ideal way to steal data from guests' laptops, often high-ranking politicians or businesspeople. Tourist information systems are often associated with numerous internal and external information systems, booking agencies, hotels, travel agencies, carriers. The operation of such tourist information systems is often based on a non-secure wireless network, and due to low awareness of information security, the tourism sector is full of steady poor data management practices. The human factor plays a crucial role in the process as well. The number of information security professionals employed in the tourism sector is negligible, the fluctuation of staff in tourism is extremely high, which is why it is very difficult for all staff members to be educated in the security field. In addition, the state has yet to recognize personal data protection as an important factor in the overall tourist service security.

Important oversights

There are numerous examples of mistakes and oversights. The personal data of 70,000 guests, including their credit card numbers, became exposed during a data breach at Trump Hotel Collection a few years back. Wyndham Hotels and Resorts had three data breaches that occurred in 2008 and 2009, and the case was settled eight years later. At an international information security conference in one of the leading hotels in Croatia, a well-known security expert Peter Wood managed to obtain credit card copies to enter the most luxurious suites by employing social engineering.

Compared to some Western countries, these kinds of security practices in our hotels are relatively good. But, taking into account the importance of tourism for Croatia, we should definitely do more.

Translated from Jutarnji list.

Search