The General Data Protection Regulation (GDPR), which comes into force on 25 May this year, affects any company that collects customer data. According to experts, it represents the most important data protection regulation change in 20 years. While most businesses will be affected by GDPR, the nature of the hospitality sector and the large amounts of data that businesses operating in it collect makes the new regulations particularly pertinent to operators. Chris Dunning, founder of consultancy TechQuarters, discusses what hospitality businesses need to know.
It will affect you
GDPR regulations will affect all organisations. “If you’ve been selling to EU residents and have captured their personal details, whether it be credit card number, date of birth, name or address, then it affects you,” says Dunning. “Hospitality is capturing data all the time. How many times have you walked into a hotel and had to provide your passport and date of birth, which is then scanned into their system? We are capturing a massive amount of data. In hospitality, the customer identification is a lot higher than other sectors.”
Understand what PII data you hold
The key things hospitality operators need to know in advance of the new regulations are what personal identifiable information (PII) they hold and where it is stored, says Dunning, as well as the individual rights of the people whose data they hold. PII might be installed on a company’s CRM system, but it is also often found across tablets, mobile phones and laptops throughout a business. “If people are using mobile devices to capture PII then you need to enrol them into your business. It’s not Big Brother, it doesn’t check their search history but controls the apps on their devices to keep the data and stop it leaking out. You should start to roll-out policies, such as staff needing to have a pin code on their smartphones to protect data.”
Know your customers’ rights
Come 25 May, customers will be able to phone a business and demand information on what personal data a company holds on them and ask for it to be modified or deleted. Businesses have two months to respond for requests to erase data and one month to inform a customer of the details they have, and one month to rectify them. Dunning cites a recent survey that suggests 27% ofconsumers might phone up a business just to check it is compliant. “Businesses must consider, ‘what are your processes internally to deal with it?’”, he says.
Be in control of data breaches
“You should ensure you’ve got right procedures in place to detect, report and investigate a personal data breach,” says Dunning. To ensure this is done effectively, businesses should put someone in charge of data protection and compliance and create the role of a data protection office. “Companies have 72 hours to report a data breach,” adds Dunning, “so they need to be able to act swiftly”.
It pays to be compliant
Or rather you’ll pay if you’re not. Under the previous Data Protection Act, the largest fine for business that lost data was £70,000, says Dunning. Under GDPR, fines can be up to 4% of global turnover or €20m (£17.6m).
Chris Dunning is founder of consultancy TechQuarters He was speaking at last month's Hostech conference