Why did companies suddenly start taking an interest in our personal data recently and begin sending out emails updating their terms and conditions, and privacy policies? What’s really going on with data protection right now and how does this affect hotel operations? Has the industry begun taking the required measures to safeguard customers’ personal data and if not, what are the consequences of non-compliance? Serge Chamelian, managing partner of h-hotelier, answers these and many other questions, while providing a welcome definition of the all-new General Data Protection Regulation (GDPR)
What is GDPR?
The new GDPR updates a directive originally issued in 1995, with the aim of strengthening and unifying data protection for individuals in the EU, by setting out guidelines for the collection, processing, usage and storage of personal information of the bloc’s citizens.
This new legislation hands greater power to the consumer, by forcing companies to be transparent about the way they are collecting, storing and sharing their customers’ personal data information.
According to the regulation, personal data consists of an individual’s name, phone number, location data, online identifiers, physical appearance, political and religious beliefs, biometric data, genetic information, sexual orientation and more.
This move to improve and upgrade the standards for data protection processes will undoubtedly have an impact on the global hospitality sector. Hotels will be obliged to ensure they are GDPR-compliant; moreover, given that the industry has a strong digital presence and is offering products and services online, the risk of data breaches is seen as high.
GDPR and hotels
GDPR applies to the handling of information on all EU citizens, wherever they are, so a hotel business based outside of the bloc, but actively marketing, selling products and services, or monitoring EU citizens or customers located there, will need to meet the requirements laid out in the regulation. If a hotel in Asia is hosting customers from the EU, for example, it will need to be aware of its obligations under the GDPR.
The financial penalties for failing to comply with the GDPR are huge; businesses found to be in breach of the rules can expect to pay either EUR 20 million or 4 percent of worldwide annual turnover, whichever is higher. On top of this, companies will have to contend with a damaged reputation in the hospitality industry and adverse publicity.
Given that hotels rely on emails as one of their main forms of communication with current and potential customers, the implementation of the GDPR could have a significant impact on their marketing strategies. Customers will now have to opt in, or give consent to an email marketing service, unlike the opt-out method that has been widely used by companies in the past. This change may make it necessary for hoteliers to speak to customers at check-in, if explicit consent is required for any form of data collection. In addition, all loyalty programs will need to be examined for similar requirements if data is used in a way that requires consent.
GDPR and hotels’ partners
Under the new regulatory set-up, if a hotel is outsourcing the processing of data to a third party that fails to comply with GDPR regulations, the hotel and the third-party processor can be held jointly responsible in the event of a breach. Therefore, all software products must adhere to the same obligations as those of the hotelier. Below are examples of software that hotels should review:
• CRM system
• Booking engines
• Website developers
• Payment processors
• Social media marketing
• Email marketing
To summarize, anything that contains personal information about customers should be reviewed.
Preparing for GDPR
The implementation of the GDPR has made it essential for hotels to create awareness and acquire buy-in from management, since changes in procedures and systems could be necessary. Below is a plan that hoteliers can follow to help ensure their data is GDPR-compliant:
• Make customers aware of their rights under the GDPR.
• Know why data is being collected.
• Obtain consent from customers.
• Audit and review current data processes (how information will be stored and handled).
• Make sure payment processes are compliant.
• Train your employees on what constitutes a personal data breach and how these can happen.
By forcing an opt-in and being specific about how information will be used, hoteliers will become smarter about what data they request and keep. The use of this type of data will ensure customers’ visits meet or exceed their expectations. Thus, hoteliers will be left with a database of customers who are interested in receiving relevant marketing messages and experiences, are more likely to be receptive to booking at the hotel and perhaps returning there.