On May 25th, the European Union’s General Data Protection Regulation – GDPR – goes into effect. GDPR specifies that customers must explicitly consent for their personal information to be processed and used by third party sites. This clearly marks a shift towards starting to build a quality relationship with your hotel guests.
If a customer stays at your hotel, their information cannot be used for marketing purposes or dissemination to third parties without the customer’s written approval.
The good news is that reducing the amount of data captured may actually provide a better experience for customers – both at the time of data collection and throughout the customer journey.
The GDPR’s right to be informed obligates organizations to state clearly how they plan to use personal data. They must communicate that information in a way that is:
- concise, transparent, intelligible and easily accessible
- written in clear and plain language
- free of charge
Hotels will have to clearly explain to guests what data they are capturing, why they are capturing it, and who will have access to it. Data captured in this context includes booking systems and revenue management software.
Today many hotels use cloud-based systems for relevant consumer transactions. Hotels will be required to clearly communicate these processes, and make sure that the technological and organizational measurements used by its systems meet GDPR requirements.
The key point here is that now is NOT the time to start worrying about capturing new relevant data for your hotel.
Start being transparent about why you are collecting the data and help your customers understand the value proposition of why you are collecting it. It is important to put humanness and transparency into context.
Begin with some baby steps. Collect the customer data that you actually need. Then use it wisely by building better experiences through personalization with this core information. This will grow more trust in the relationship which is a key ingredient to long-lasting relationships.
Consent is a principle that builds upon communication. It means offering individuals real choice and control. Genuine consent should put individuals in charge, build trust and engagement, and enhance your hotel’s reputation.
Check your hotel’s current consent practices. Refresh your hotel’s consents if they don’t meet the new GDPR standards.
Consent requires a positive opt-in. Don’t use any default consent.
An explicit consent requires a very clear and specific statement of consent. Be sure to keep your consent requests separate from other terms and conditions. Also make it easy for consumers to withdraw consent and tell them how.
Managing access is a key component with GDPR. It refers to:
- Implementing appropriate technical and organizational measures for your hotel. It’s not enough just say you implemented the appropriate GPDR process – your hotel has to show that you considered and integrated data protection.
- Preventing unauthorized access to date, which includes any unauthorized access, accidental and unlawful destruction, loss, alteration, or disclosure of personal data, stored or otherwise processed.
- Notifying relevant parties of a breach within 72 hours of first becoming aware of the breach. Relevant authority and the party data concerns of the breach that is likely to result in a risk for the rights of freedom of individuals must be notified.
- Maintaining impeccable records of data processing activities, including information of who has access to data.
Even though there are some non-European hotels that do not actively pursue European customers, I advise that all hotels around the world work on being compliant and follow similar principles.
Hotels that actively seek European guests will be required to be compliant with GDRP. With any type of breach, they will be required to report to a European regulator within 72 hours. Non-compliance is subject to some very stiff fines.
GDPR is invoking the right to be forgotten. Basically, this means that the consumer has the right to request that all of the personal information about them that your hotel possess is erased and they are not required to tell why.
Specifically, your hotel must erase all their personal data wherever it exists: in files, databases, replicated copies, backup copies and archived copies too. And, you also have to demonstrably prove that you’ve done so. Furthermore, if you’ve ever shared this person’s data with another organization, it’s on you to contact them and convey the erasure demand.
Profiling is defined by more than just the collection of personal data – it is the use of that data to evaluate certain aspects related to the individual. The purpose is to predict the individual’s behaviour and make decisions regarding it. In the context of your hotel’s email marketing, it can be the choice to send a particular targeted email campaign instead of another one.
There are three important aspects of profiling:
- It implies an automated form of processing
- It is carried out on personal data
- The purpose of it is to evaluate certain personal aspects of a natural person to predict their behaviour and take decisions regarding it
Hotels will be required to:
- Give individuals information about the processing
- Introduce simple ways for them to request human intervention or challenge a decision
- Carry out regular checks to make sure that your systems are working as intended
Sensitive data is personal data relating to a living individual who can be identified:
- From that date, or
- From the data and other information which is in the possession of, or is likely to come in possession of, the data controller
- And includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual
Data may be considered sensitive if it consist of material that includes:
- Racial or ethnic origins
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic data
- Biometric data
- Data concerning health
- Data concerning a natural person’s sex life or sexual orientation
Marketing under the GDPR (whether postal, phone, email, SMS or any other form of marketing) is regulated exactly like any other data processing activity.
As a hotel marketer, you are concerned with making the most effective use of social media tools or platforms such as Facebook, LinkedIn, Twitter, Google+, Pinterest, WhatsApp, Snapchat or Instagram. The last thing you want to worry about is having your followers, friends or connections needing to provide you with consent to store or use their data.
You will be pleased to hear that as far as consent and data use is concerned, you will be effectively covered by the terms and conditions and privacy notices of each of these social networks.
Due to existing legislation is known as the EU-US Privacy Shield, US organizations (including social media network providers) can self-certify and commit to this framework agreement which underpins their protection of the EU citizen data entrusted to them.
In short, this means that both your hotel and your social media audience agree to the terms of the tools you use. GDPR will also require them to have an accountable EU representative that can be held to account for the GDPR compliance of the organization within Europe.
While the three key GDPR areas that hotels need to concentrate on are data permission, data access and data focus, there are really two main areas that will be impacted from a hotel marketing perspective:
Ensuring users opt-in to your hotel’s email marketing campaigns and give consent to be contacted will be a requirement, rather than automatically adding them to your email list and then waiting for them to opt out.
Hotels need to make sure that every name in their CRM database and every email in the automation system has given proper permission to market to them. And, if someone opts out of an automated email sequence, that the two systems are updated to ensure that no further emails are sent.
Data transfer outside the European Union (EU)
The GDPR imposes restrictions on the transfer of personal data outside the European Union to third countries or international organizations. These restrictions are in place to ensure that the level of protection of individuals afforded by the GDPR is not undermined.
It is important for hotels to understand that GDPR will apply when organizations use online IT services, cloud-based services, remote access services or global HR databases and will often need to implement lawful data transfer mechanisms.
In order to prepare for the requirements of the GDPR, hotels should:
- Review their existing and planned business operations
- Identify all circumstances in which personal data is transferred to recipients located outside the European Economic Area (EEA); and
- Ensure that, for each such transfer, the organization has in place a data transfer mechanism that complies with the requirements of the GDPR.
The May 25 GDPR compliance dateline is rapidly upon us and you must make sure your hotel is compliant. This shift can be extremely valuable when combined with a focus on humanness and transparency.
Reputation Management will become even more important for hotels as we are again starting to value the quality of relationships. With the advent of GDPR, consumers will be in control of their own information, in addition to already playing a large role in your hotel’s brand message through social media.
It would be wise to consult with hotel legal experts that specialize in GPDR as they can help draft consent forms with the appropriate terminology.
Again, this is NOT the time to start worrying. Start with baby step actions and build a solid framework that supports this new valuable shift for all of us. As with any major shift, we all will run into pain points and challenges. Looking at this shift long term, we will all see a new landscape beyond the disruptions and social media clutter. Stay focussed on implementing new key strategies to build quality relationships with customers and hotels guests.
Take actions to aid your hotel’s legal GDPR readiness, but even more importantly, do so to establish trust and build stronger relationships with your consumers. This is an important step towards providing your customers with truly delightful experiences.
About the author