Data privacy in the tourism and hospitality sector
Personal data security is becoming increasingly important in the tourism and hospitality sector, but many companies may not be ready to comply with the EU’s tough new data protection laws, which must be implemented by May 2018.
All EU businesses that handle data will have to comply with the General Data Protection Regulation (GDPR), which will require investment in systems and training for employees. As the deadline for implementing GDPR approaches, data privacy is rising up the agenda for senior management. This will impact all customer data in the tourism and hospitality sector, including CRM databases and online booking/enquiry systems. The GDPR will affect many departments and goes beyond any border within an organisation, so the relevant level for accountability has to be at director level. As a minimum, directors of hotels, commercial organisations, tourist boards and so on will have to ensure that their businesses remain compliant with the GDPR. This will entail constant monitoring of systems and processes against the regulation’s requirements to avoid data breaches and manage the risks. Large companies may want to create privacy committees to improve oversight or link data privacy objectives to directors’ performance management.
Management teams must ask themselves some fundamental questions on GDPR to make sure they are compliant:
Do they understand the key elements of GDPR and its potential impact on their stored data?
What do they really know about GDPR readiness? Have they seen their company’s GDPR-readiness assessment? This provides an overview of the risks and where they are located.
How do they ensure they have all the information they need?
Have they seen their company’s implementation action plan with specific recommendations, such as system adaptation or cyber-training programmes?
Management simply can’t ignore these questions. Companies that fail to comply with the GDPR could face fines of up to 4% of global turnover or €20m, whichever is greater, in the case of a breach. Most importantly, the reputational and brand damage of such a breach can have major consequences for a business.
However, I strongly believe it’s important to stress that smart companies are focusing on the opportunities to maximise returns on investment, rather than focusing on the threat of sanctions. The new GDPR requirements can be an opportunity for organisations in the tourism and hospitality sector who typically store significant amounts of personal data, to promote a data-responsible image. Companies need to find new ways to limit the amount of data they collect, and communicate the benefits to customers. For large, international companies the harmonisation of the data protection rules across Europe is a positive step. The introduction of the ‘one stop shop’ principle, for example, allows businesses to rely on only one regulator when they are a cross border organisation.
The strategic importance of data protection will remain an issue long after the May 2018 deadline and management teams need to ensure they are ready for the impact of the GDPR. However, whether that impact is positive or negative is largely in their hands.