How to… survive the GDPR's strict new data rules

Businesses should ready themselves now for a host of requests from guests asking how they are using their data, says Sarah Williamson

Respect for guest privacy has always played a crucial part in the success of the hospitality industry, but in today's hyper-connected world that includes protecting your guests' precious personal data.

Innovations such as algorithm-led online review systems have already placed data centre stage in recent years, but the competing requirements of guest privacy set against the need to maintain long-term relationships and secure repeat business will become even more complicated to navigate with the introduction of the EU's General Data Protection Regulation (GDPR).

The GDPR, which is coming into force from 25 May 2018, aims to give new data rights to individuals, principally by fundamentally altering the way businesses approach the collection, storage and manipulation of data, and requiring companies to embed data privacy into their processes and systems.

These requirements will create a compliance burden for any organisations processing personal data and will have major implications for hotels and the hospitality sector.

Failure to comply will be expensive, with fines of up to 4% of annual global turnover or €20m (£18m), whichever is the greater.

How should a business get its data ready for the General Data Protection Regulation?

Find the gaps
For companies unsure of their preparations for GDPR, a gap and risk analysis service is a great first initiative. An analysis can evaluate current data protection procedures and compliance, and assess these against the requirements under GDPR in order to identify gaps. These audits can be crucial in helping an organisation identify the biggest threat in terms of financial and reputational risk.

Raise awareness across all departments
The focus on fines may have brought GDPR to the board and marketing department's attention, but everyone within the business needs to know how they should be handling information and data access requests when they come into the business.

Be ready for a customer backlash
It is not only business awareness that needs to be dealt with. Consumer rights groups are likely to be campaigning to let the public know of the new rights and of companies' responsibilities. The Information Commissioner's Office is also expected to launch a major PR offensive in early 2018, alerting consumers to their new rights as "data subjects".

A flood of data subject requests is possible, be it access requests from current or former employees, or requests from customers wanting to see what information is held about them or to have it removed. To minimise any resulting disruption, you need to know where data is held and to have processes in place to quickly access, amend and remove it as necessary. You need to be ready to respond to enquiries and formal requests in a way that builds trust. And, conversely, to ensure that distrust doesn't lead to a haemorrhaging of usable data from your business.

Improve your data transparency
Businesses need to be more prescriptive and detailed in how and why they manipulate data, and also in what data they capture. They will also need to offer evidence of this.

For instance, at media giant Sky, reporting and recording has already become more focused in readiness for GDPR. The company is tagging data with time and date stamps as well as attaching what are called "trackers and gatekeepers" on certain activities so that they can capture the evidence of a change in the way the data is used.

Prepare for another ‘TripAdvisor effect'
Some businesses are making a comparison between GDPR and the disruptive effect that price comparison sites or review sites such as TripAdvisor and Amazon have had on the travel and retail industries.

These innovations forced a shift in the balance of power between marketing departments and customers when it came to the way the brand was seen, defined and able to market and price its products. GDPR will force yet another shift in power from companies to consumers. Trying to stand in the way of this disruptive juggernaut is futile.

Instead, as they have with TripAdvisor and the like, businesses must look for ways to adapt and take advantage of the new world of marketing, data and consumer control.

Sarah Williamson is a partner at Boyes Turner

Videos from The Caterer archives

Are you looking for a new role? See all the current hospitality vacancies available with The Caterer Jobs