Why Data Privacy Matters In The Hospitality Sector
Data privacy is essential. Customers are becoming more concerned about data privacy and protection as businesses (particularly hospitality brands) collect increasing amounts of personal data for marketing and research purposes. They need control over their data and transparent information regarding its intended usage.
Hospitality providers must be informed about the law and appreciate why data privacy is so significant to guests, especially in the wake of recent legislative developments providing customers more rights over their personal information.
Good data privacy generates loyalty and trust.
According to a 2020 Privitar survey, 78 per cent of consumers are concerned about the security of their personal information. Thirty-three per cent of respondents stated that the possibility of data theft due to a breach or other security issue is their main worry when sharing personal information with organisations.
Other concerns centred on businesses sharing customers’ data without their consent or abusing it.
However, Privitar also discovered that for 31 per cent of consumers, “Commitment To Data Protection” drives brand loyalty, while for 40 per cent of consumers, “Trustworthiness” drives brand loyalty.
This supports the findings of a 2018 survey by Salesforce, which discovered that clients are more likely to remain with a business, spend more money, and promote its services if they feel comfortable providing the company access to their data.
As Dr Michael Toedt notes in his recent article, adopting the proper approach to data privacy is crucial for the hospitality industry because repeat business and reputation-building depend heavily on trust and loyalty.
Data breaches cause significant financial damage and reputation loss.
If appropriate data protection policies and mechanisms aren’t in place, any business, whatever its size, could experience a data breach. Moreover, significant data breaches can attract international headlines, and no resort or hotel wants that type of notoriety.
Sadly, Marriott Hotels discovered this the hard way in 2020 when seven million guest profiles were compromised. Hackers compiled data such as names, phone numbers, and passport numbers. The decryption keys, saved on the same server, were also viewed along with encrypted credit card information.
In October 2020, the UK’s Information Commissioner’s Office found Marriott in violation of the country’s data privacy laws and imposed an £18.4 million fine. While this would have been a severe financial setback, the harm to their reputation might be much more costly.
MGM Resorts International, The Ritz in London, and Choice Hotels International are other major brands recently affected by high-profile data thefts. It demonstrates how hospitality companies are a significant target for hackers and cybercriminals due to the volume of valuable data they hold.
So what are the key regulations you need to know?
General Data Protection Regulation (GDPR)
In May 2018, this EU regulation came into force, and all businesses outside the EU, that process data about EU residents and all businesses within the EU, are impacted. Companies that collect personal identifiers, including names, phone numbers, and IP addresses, are subject to extensive responsibilities under the GDPR.
Stringent guidelines govern data collection, management, storage, and use. In addition, consumer rights include the power to opt-out of marketing communications, request data transfers, and exercise the “right to be forgotten.”
Compliantly collecting, using, and storing guest data is of utmost importance from a hotel or resort perspective. However, with the current state of the IT industry today, it is challenging to achieve.
PCI DSS
The punishment for non-compliance with this crucial international law protecting credit card data starts at $500,000 per incident. In addition to data security issues, the future viability of hospitality businesses, many of whom cannot sustain the significant losses brought on by non-compliance fines, is in danger in this situation.
Consumer Privacy Act of California (CCPA)
Similar in scope to GDPR, the CCPA only affects larger businesses domiciled in California or that deal with residents of California. Only the largest hospitality groups will be impacted by the CCPA, unlike the GDPR, which applies to everyone.
Important: The EU-US Privacy Shield is no longer valid.
The EU-US Privacy Shield was a framework for controlling the transatlantic sharing of information between the EU and the USA. Its purpose was to simplify US businesses’ obtaining personal information from EU customers while still upholding their privacy rights.
The Shield, however, lost its validity in 2020. Furthermore, even if the data is hosted within the EU, there are currently no legitimate solutions to collaborate with US corporations or their subsidiaries. Therefore, until a new Privacy Shield is available between the EU and the US, many lawyers advise against signing software contracts with suppliers of US-cloud solutions.
How to comply with data privacy laws
Resorts and hotels should act immediately if they are concerned about their ability to protect their customers’ personal information effectively.
The occurrence of multiple visitor profiles across different platforms within their technology stack, such as the PMS, CRM, RMS, POS, and website, is a typical problem. Data must be updated manually when these are not fully integrated, which poses substantial risks.
Implementing a Central Data Management (CDM) system, which enables the development and management of a single, clean profile for each visitor, can resolve these problems.
Alternatively, installing one fully integrated software solution that incorporates every aspect of a hotel or resort operation, like Merlin Software, could ensure that guest information is protected and duplication is avoided by synchronising everything in real-time.
With Merlin Software, managing data-related requests from clients, such as amending personal information, is more straightforward for staff. Additionally, removing data is a simple process that avoids data disputes.
These features are critical to managers from a regulatory, compliance and reputational perspective.
Technology can only achieve so much, however. Strong data privacy policies and rules, clear guest communications, and staff training are additional important aspects for businesses to consider.
Examples include:
- Always encrypt payment card information.
- Destroy information and documents you no longer need.
- Operate a continuous training program in cybersecurity to enforce protocols.
- Always adhere to relevant regulations.
- Continuously update crisis response plans if a breach does occur.
- Implement a mobile security policy, so devices are secured.
- Use cybersecurity measures such as firewalls, network monitoring, anti-malware, and traffic filtering.
- Conduct tests against your organisation’s cybersecurity defences and mirror the behaviour of a hacker.
- Know where your data is and enforce the principle of least privileges to limit access.
The best method to safeguard the organisation and their customers from data breaches and the accompanying hazards is to adopt a 360-degree strategy.
Sources:
- Report on Consumer Trust and Data Privacy from 2020.
- New Research Insights for Managing the Customer Trust Crisis.
- Upscale Living
- Limor Wainstein