Recognized as an industry expert on hospitality technology, eCommerce, and business intelligence, Terri Miller, CEO and co-founder of Concilio Labs, discusses the impending European General Data Protection Regulation (GPDR) and what that means for hoteliers.
Why has GDPR become such a top-of-mind issue for the hospitality industry?
The May 2018 deadline for GDPR implementation will significantly change the way hoteliers handle guest data. Having guest’s personal data stored in the cloud has become a necessity for today’s hotelier.
Until now, fines for breach of data protection regulations were limited and enforcement actions infrequent. GDPR, on the other hand, promotes the risk of costly penalties in the event of incompliance and data breaches.
Even though GDPR applies specifically to EU countries only, in today’s global society, it is likely that most hotels touch EU citizens in some form or fashion – and so they must comply with regulations. GDPR is also seen as a “first move” towards greater information transparency and security overall, and thus many savvy hoteliers, even those outside of the EU, are using the new regulations as a way to get their marketing, data management, and privacy programs into shape.
How do you see the GDPR affecting hotel companies’ strategies and habits over time?
Fundamentally, GDPR requires hotels to be transparent about what data they collect as well as to take responsibility for what they—and their partners— do with that data. Many industries, including hospitality, are struggling when it comes to winning and keeping their customers’ trust. GDPR is about bringing consumers into the data ecosystem by allowing them to see, access and consent to the data that companies have and utilize.
How do you see the GDPR affecting guest expectations and behaviors?
The processing of personal data should be designed to serve the guest. If hotels don’t honor that principle, guests will become distrustful and certainly less loyal. They may even begin to lie when asked for non-essential information. They may also shame brands that don’t follow the GDPR standards of transparency and choice.
We need to make guests feel as if a data exchange is beneficial – better data for better guest experiences – vs. data used simply for the purposes of mass-distributed marketing.
In the short term, hotels can look to GDPR as an opportunity. Among many regulations, GDPR requires hotels to ask customers to “opt in” to marketing communications. By playing their cards correctly, hotels can use their opt-in as a chance to re-engage with guests and educate them on the benefits of data sharing to improve the guest journey.
I believe that most guests will be happy to grant access to their data if their needs are being met.
The GDPR introduces the concept of profiling. How will that impact hotel marketing and personalized guest service practices?
The GDPR describes profiling as any form of automated processing of personal data, in particular to analyze or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.
For hoteliers, the ability to leverage guest profiling is essential when it comes to personalized, relevant marketing and services. Not only can profiling deliver benefits to the hotel— it can also deliver benefits to guests by tailoring services and offers to align with their preferences, interests and guest history. Hoteliers will need to ensure that all profiling has met the core GDPR requirements including data permission, data access, and data focus – and honor any requests or objections from guests.
For some hoteliers, it will require very little change. For others, it will require a whole new set of data management systems and processes.
What do hoteliers need to do next when it comes to GDPR?
To start, hoteliers must prioritize based on their resources, locations, guest expectations and risk profile. I think the most critical first phase is to audit the data they already have and develop an efficient and robust record-keeping system to prove compliance. The next step is to do a privacy impact assessment of all sources to determine when it seems data could be put at risk and respond quickly to mitigate it.
GDPR offers a unique opportunity to develop completely new ways of working that are based on the key principles of trust and transparency. Ultimately, in the long run, data protection and privacy will become more of a brand differentiator, so those who do the right thing will win.
Concilio Labs is working with clients to ensure their data gathering and storage protocol for its Insight Engine product remains compliant with GDPR regulations.