Data privacy matters – period. As companies (including hotel chains) collect more and more personal data from consumers for marketing and research purposes, consumers are becoming increasingly concerned with data privacy and data protection. They want control over their data and they want to know exactly how it will be used. With legislative changes giving consumers more rights over their personal information, hoteliers need to both know the law and understand why data privacy is so important to hotel guests. Let’s take a look.
Good data privacy builds trust and loyalty
A 2020 survey by Privitar found that 78% of consumers are concerned about protecting their personal data. 33% said their primary concern around sharing personal information with businesses is the risk of data theft due to a breach or other security issue. Other issues revolved around companies sharing data without their permission or otherwise misusing it.
However, Privitar also found that “Commitment to data protection” drives brand loyalty for 31% of consumers, a figure that increases to 40% for “Trustworthiness”[1].This backs up the findings from a 2018 survey by Salesforce, which found that consumers are more likely to stay loyal to a company, spend more money and recommend its services if they felt they could trust the organization with their data[2].
Adopting the right approach to data privacy is therefore vital for the hotel industry, where trust and loyalty are critical sources of repeat business and reputation-building.
Data breaches cause serious financial and reputational losses
Every type of organization could suffer a data breach if adequate data protection controls and systems aren’t in place. Major data breaches can make news headlines around the world but are not the kind of publicity any hotel chain wants to seek.
Marriott Hotels found this out to their cost when 7 million guest profiles were compromised in 2020. Information collected by hackers included names, phone numbers, and passport numbers. Encrypted credit card details were also accessed – as were the decryption keys, which were stored on the same server.
Marriott was found to be in breach of data privacy legislation and fined £18.4 million by the UK’s Information Commissioner’s Office in October 2020. A severe financial blow, but the reputational damage could cost much more. Other hotel companies hit by high-profile data leaks in the last few years include MGM Resorts International, The Ritz in London, and Choice Hotels International[3]. This illustrates how the large amount of valuable data held by hotel groups makes them a prime target for hackers and cyber thieves.
Key legislation explained
- General Data Protection Regulation (GDPR)
This EU regulation came into force in May 2018. It affects businesses outside the EU that process data about EU residents, as well as businesses within the EU. GDPR places wide-ranging obligations on all organizations that collect any type of personal identifiers, from names and phone numbers to IP addresses. There are strict rules around how data can be obtained, stored, managed, and used. Consumer rights include opting out of marketing communications, asking for data to be transferred and the ‘right to be forgotten.’
From a hotelier’s viewpoint, obtaining and using guest data compliantly, keeping it updated, and storing it securely is of paramount importance, but it’s hard to reach when looking at the current IT landscape.
- Californian Consumer Privacy Act (CCPA)
The CCPA has a similar scope to GDPR but only applies to larger organizations based in California or that do business with Californian residents. Unlike GDPR which affects everyone, only the biggest hotels and hotel groups will be impacted by the CCPA.
- Invalidation of the EU-US Privacy Shield
The EU-US Privacy Shield was a framework for regulating the transatlantic exchange of information between the EU and the USA. It was partly designed to enable US companies to more easily receive personal data from EU consumers, whilst still protecting their privacy rights. However, the Shield was invalidated in 2020. At the moment, there are no legally savvy ways to work with US companies or their subsidiaries, even if the data is hosted within the EU. Therefore, many attorneys recommend avoiding signing software contracts with vendors of US-cloud solutions until a new Privacy Shield is available between the EU and the US. (see also White Paper Viewpoint Privacy Shield for more details)
Achieving data privacy compliance
Hotels concerned about their ability to adequately protect guests’ personal data should take immediate steps to address this. A common problem is the existence of multiple guest profiles across different platforms within the hotel tech stack, such as the PMS, CRM, RMS, POS, website, etc. Where these are not fully integrated, data has to be updated manually, which carries significant risks.
These issues can be solved by implementing a Central Data Management (CDM) solution, which enables the creation and maintenance of a single, clean profile for each guest. A CDM can communicate and synchronize with each system within the tech stack in real-time, centralizing guest information and preventing duplication.
CDM systems make it much simpler for hotel staff to manage data-related requests from clients, such as updating personal details. They also enable one-click deletions, preventing data disputes. Some CDM systems include a cleansing system that can carry out steps to offer clean and consolidated data throughout the hotel tech stack.
From compliance and reputational viewpoint, these functionalities are truly invaluable to hoteliers. However, IT can only do so much. Other key considerations for hoteliers include creating robust data privacy policies, providing clear guest communications, and training staff on data privacy processes. Taking a 360-degree approach is the best way for hotels to protect themselves and their guests from data breaches and the associated risks.
Sources:
[1] 2020 Consumer Trust and Data Privacy Data Report. 2020.
[2] Managing the Customer Trust Crisis: New Research Insights. September 2018.
[3] Upscale Living. 5 Recent Luxury Hotel Data Breaches You Should Know About. August 2021.