A committed team of Data Protection Champions played a key role in DPTM certification for Shangri-La Hotel, Singapore by ensuring that its 1,000 strong workforce was accountable in following good data protection practices.

Achieving the gold standard in personal data protection is not a single person’s effort. At Shangri-La Hotel, Singapore, Data Protection Champions in every department played a significant role in the hotel’s success in attaining the Data Protection Trustmark (DPTM).

Shangri-La Hotel, Singapore comes under the umbrella of one of Asia-Pacific’s leading luxury hotel groups – Shangri-La Hotels and Resorts. As part of the hotel’s operations and for security reasons, it collects personal data such as the guests’ full name, passport number, credit card details, contact number and country of origin during check-ins, as well as information such as age and date of birth for its loyalty programme. It also retains personal data of all its employees for administrative purposes. This includes their identification details and medical history.

“We have the responsibility to keep all this data well protected,” said Mr Tane Picken, General Manager of Shangri-La Hotel, Singapore. “Personal data protection is part of our hotel’s daily operations and our colleagues are trained to ensure that this data is secured and handled with care.”

Appointing Data Protection Champions

As a group, Shangri-La Hotels and Resorts has had comprehensive data protection guidelines and policies in place since 2008 to ensure that its data management practices are compliant with the personal data protection laws of the countries that they operate in. It also conducts compulsory annual audits on all its hotels and resorts to ensure that the directives are updated and adhered to.

For Shangri-La Hotel, Singapore, a more specific set of guidelines was put in place in 2012 to align its personal data protection policies and practices with the Personal Data Protection Act (PDPA).

One of the steps that the hotel took was to appoint a Data Protection Officer (DPO) to ensure that the personal data of its guests and employees was managed properly, with adequate safeguards in place to prevent unintended disclosure. The DPO also helps to ensure that the hotel’s data protection policies and processes are up to date.

But it did not stop there. In March 2019, Shangri-La Hotel, Singapore took the further step of appointing a Data Protection Champion in each department to oversee internal communications and staff training in personal data protection.

This role proved to be key when the hotel embarked on Data Protection Trustmark (DPTM) certification later the same year.

Preparing for DPTM

The decision to go for third-party certification was seen as a strategic move for the hotel. “In the hospitality industry, trust is key to driving our business and strengthening the relationship we have with our guests and clients,” said Mr Picken.

“Going for the DPTM certification underscores our company’s stance in data protection, assuring our guests, clients, partners and employees that we value their faith in us and strive to treat their personal data with care and respect.”

Third-party certification also served as a validation that the hotel’s personal data protection guidelines and policies were compliant and relevant from an independent perspective.

But the preparation for DPTM was not without its challenges.

For Shangri-La Hotel, Singapore, one of the things it had to do was to ensure that each and every one of its 1,000 employees was adequately trained in personal data protection. Although the hotel already had an extensive set of data protection policies in place, this was still a formidable task because of the number of staff involved.

And this is where the Data Protection Champions came into the picture.

A working committee was established with Data Protection Champions playing an active role in raising employees’ standards in personal data protection within each department. This was done through regular briefings and training. The champions also helped to disseminate data protection information promptly to keep staff updated, to minimise lapses.

“This internal communication is paramount in ensuring that the right procedures are being conveyed to our colleagues who are responsible for collecting guest data and making sure that new colleagues are properly trained on how to handle personal data before they start work,” said Mr Picken.

In addition to this, the Shangri-La Academy rolled out an e-learning course on data protection, which was mandatory for all employees.

The hotel also appointed an external party to assist in its preparation for the DPTM certification. The consultant helped to identify high-risk areas and data protection gaps that were quickly addressed.

A first for the hotel sector

In all, it took about six months from the start of its preparations to becoming the first hotel in Singapore to be awarded the DPTM.

“This certification is testament to our hotel’s commitment to protecting the privacy, confidentiality and security of the personal data of our guests and colleagues. It definitely provides a mark of trust for our guests, and also lends a stamp of accreditation for our business partners as well,” said Mr Picken.

Reflecting on the importance of DPTM to the hospitality industry as a whole, he emphasised that data protection is a key area that management should look at, especially for companies that handle large volumes of customer information. If some of this data were to land in the wrong hands, it could have a detrimental effect on a customer trust, the hotel’s business, and the reputation of the industry as a whole.

And that is why for Shangri-La Hotel, Singapore, the data protection effort has to be a continuous one. “It is important to keep the conversation on personal data protection ongoing, to ensure that it stays top of mind and we remain vigilant in our data protection practices,” said Mr Picken.