There are now vast volumes of personal data shared online. E-commerce and social media are fueling the personalization of technology and customer service. As a result, customer privacy, transparency, and data protection have become critical topics in industries across the board — including hospitality.
What do hotels and other accommodation providers need to know about privacy data protection? What do two new pieces of related legislation, namely the GDPR and CCPA, mean to their businesses? And what practical steps can properties take to improve their data and privacy protection — and improve their brand reputation in the process?
Read on for the answers.
Why do privacy and data protection matter to a hotel business?
Consumers care about their privacy and the protection of their data
A recent report from Salesforce shows that customers have limited trust in how companies handle their data. 59% believe their personal information is vulnerable to a security breach, and 54% don’t believe that companies have their best interests in mind.
However, the same report also showed that giving customers control of what data is collected, being transparent about how data is used, keeping data secure, and gaining explicit customer consent to use data were all ways businesses could improve that level of trust.
Survey respondents also said they were more likely to be loyal, recommend the company, spend more money, and share their experiences if they trusted a company.
Data breaches can have a huge negative brand impact
While data security and privacy could seem like low priority issues compared to the daily demands of running a hotel, the potential brand impact of a data breach or privacy scandal can be enormous.
Requirements to comply with current and future legislation
Beyond a reputational risk, in certain countries there is also now an incentive to comply with legislation such as the GDPR and CCPA where penalties can be significant. However, even in other countries, getting on top of your data processes and showing a commitment to customer privacy will put you in a good position for any future legislation that may come into effect.
What are the GDPR and CCPA?
What is the GDPR?
The General Data Protection Regulation (GDPR) is a regulation of the European Union (EU) that came into effect on May 25, 2018. It introduces significant controls and limitations on how businesses, including hotels, may use, manage and share an individual’s personal data.
The GDPR covers all businesses based in, or with a presence in, the European Union. It also applies to businesses outside the European Union that collect or process data about EU residents. This could include online bookings for hotels outside the EU made by EU residents.
What is the CCPA?
The California Consumer Privacy Act (CCPA) is a piece of legislation passed by the US state of California. The legislation was passed on June 28, 2018, but will not come into effect until January 1, 2020. While different from the GDPR, the regulation also broadly impacts the use, management, and sharing personal data.
The CCPA applies to businesses that do business with Californian residents even if they are based outside of the state. It only applies to businesses that meet one or more of the following criteria:
- US$25 million+ revenue annually
- Collect data from more 50,000 California residents annually
- More than 50% of revenue derived from selling data of California residents
As such, unlike the GDPR, only large or chain hotels are likely to be impacted by the CCPA.
Practical steps hoteliers can take to improve privacy and data protection
Audit your data processes
The first step is to understand all the personal data your property collects, why it’s collected, how the data is stored and handled, who of your staff has access to it, and any external partners or services providers with whom the data is shared (and what their policies and security systems are). Also, identify the person who is ultimately accountable for data security and privacy within your management structure.
This will give you a starting point to see what things you may need to change to ensure compliance with the GDPR or CCPA, but also how you can generally improve processes, minimize data collection, and improve security.
Undertake an assessment of IT infrastructure and security
Is your data secure? Do you have appropriate security systems to minimize the risk of external hacking, as well as prevent access to sensitive data by employees that should not be able to access it? While there is no way to completely remove security risks, there are many practical steps to secure the storage of guest data.
Ensure data transparency and guest control
Ensure transparency by setting by clear privacy policies, communicating them to guests, and making sure they are taken seriously by staff. Minimize the amount of unnecessary data collected and stored and ensure that the correct procedures are in place to for guests to be able to opt into data collection, request copies of their data, and request that their data be deleted.
Compliance and monitoring
Ultimately, compliance with the GDPR or CCPA will require staff training and the implementation of the required policies and processes set out by the legislation. Some of the further resources listed below can give more detail about how to comply. However, it is important to develop a culture that respects guest privacy and considers data security at every step. Continued monitoring will also be required to ensure that processes and ever-changing IT infrastructure are kept up to date.
Using compliant partners and tools
A key part of ensuring compliance with the GDPR is by using tools and partners that are also fully compliant and are therefore able to enter into a valid Data Processing Agreement (DPA).
This article is intended only to provide general information and does not constitute any legal advice. The trivago Business Blog and authors do not accept any liability for non-compliance based on information contained within this article or on any external links. It is recommended to seek full and proper legal guidance to ensure regulatory compliance.