Respect for guest privacy has always played a crucial part in the success of the hospitality industry, but in today’s hyper-connected world that includes protecting your guests’ precious personal data.
Innovations such as algorithm-led online review systems have already placed data centre stage in recent years, but the competing requirements of guest privacy set against the need to maintain long-term relationships and secure repeat business will become even more complicated to navigate with the introduction of the EU’s General Data Protection Regulation (GDPR).
The GDPR, which is coming into force from 25 May 2018, aims to give new data rights to individuals, principally by fundamentally altering the way businesses approach the collection, storage and manipulation of data, and requiring companies to embed data privacy into their processes and systems.
The new regulation is indiscriminate and will affect any pub, hotel or restaurant – big or small. These requirements will create a compliance burden for any businesses processing personal data and will have major implications for the hospitality sector.
How should a business get its data ready for the General Data Protection Regulation?
Find the gaps
For companies unsure of their preparations for GDPR, a gap and risk analysis is a great first initiative. An analysis can evaluate current data protection procedures and compliance, and assess these against the requirements under GDPR in order to identify gaps. These audits can be crucial in helping a business identify the biggest threat in terms of financial and reputational risk.
Be ready for a customer backlash
It is not only business awareness that needs to be dealt with. Consumer rights groups are likely to be campaigning to let the public know of the new rights and of companies’ responsibilities. The Information Commissioner’s Office is also expected to launch a major PR offensive in early 2018, alerting consumers to their new rights as “data subjects”.
A flood of data subject requests is possible, be it access requests from current or former employees, or requests from customers wanting to see what information is held about them or to have it removed. To minimise any resulting disruption, you need to know where data is held and to have processes in place to quickly access, amend and remove it as necessary. You need to be ready to respond to enquiries and formal requests in a way that builds trust. And, conversely, to ensure that distrust doesn’t lead to a haemorrhaging of usable data from your business.
Prepare for another ‘TripAdvisor effect’
Some businesses are making a comparison between GDPR and the disruptive effect that price comparison sites or review sites such as TripAdvisor and Amazon have had on the travel and retail industries.
These innovations forced a shift in the balance of power between marketing teams and customers when it came to the way the brand was seen, defined and able to market and price its products. GDPR will force yet another shift in power from companies to consumers. Trying to stand in the way of this disruptive juggernaut is futile.
Instead, as they have with TripAdvisor and the like, businesses must look for ways to adapt and take advantage of the new world of marketing, data and consumer control.
Sarah Williamson is a Partner at specialist technology and innovation law firm Boyes Turner. She is an experienced adviser on complex technology related projects, and heads up a team advising clients on data protection and security issues. For more information and resources on preparing for GDPR, visit www.boyesturner.com/our-expertise/gdpr