GDPR – The cost of non compliance

For years now, the hospitality business has shared Big Tech’s addiction to customer data. Rather than sell it to advertisers, however, hotels and airlines traditionally use it to personalize travel experiences.

Hotels – in particular luxury hotels – collect customer data to build detailed guest profiles, which can include personal preferences, from room, pillow and favorite cocktails, to potentially more explicit guest information.

For those travel brands who have not taken GDPR seriously, recent fines surely serve as a wake-up call. With data breach penalties of up to 4% of global turnover, it’s time to consider the true cost of customer data.Get more on digital travel in your inbox every day…

Both British Airways’ record fine of £183 million following a data breach that affected some 500,000 customers and Marriott International’s £99 million fine relating to a hack of the Starwood database last November, are doubtless just the tip of the iceberg.

While these fines are hitting the headlines, serious data breaches have been a regular occurrence in the travel industry for years.

Hyatt Hotels discovered malware in their payment systems in 2015, the same year that Hilton urged all its customers to check their credit card statements after confirming the theft of cardholder payment details.

In 2016 Uber suffered a data breach which affected over 75 million users and 600,000 drivers around the world. Still in 2016, hackers stole data from more than 1,200 InterContinental Hotels in the Americas.

Personalisation data

Brands across all industries rely increasingly on personalization, and in the case of travel brands, personalized customer service now depends on CRM systems, rather than the general manager’s personal knowledge of a valued client’s requirements.

It doesn’t take too much imagination to picture some clients not wanting this “white glove” information shared in the public domain, particularly hotels attracting the rich and famous.

Data breaches are not only potentially embarrassing, they can seriously devalue a travel brand and damage the trust that has taken years to build.

If this can happen to some of the biggest players in the business, whose cyber security budgets dwarf most businesses, how exposed are smaller groups and individual hotels?

Outdated practices

The pursuit of digital marketing and CRM has made travel marketing much more effective, but the overhead of governance, compliance and security has been hugely underestimated.

There is now an urgent need for travel brands to review their practices to secure systems and comply fully with the regulations, as well as define a customer data strategy that identifies what is and isn’t collected, how it is used and who it is shared with to improve the customer experience.

GDPR was the first step to set out obligations for businesses that collect, process and store customer data, ensuring full consent is obtained for specific, explicit and legitimate purpose.

But has everyone complied? If you have noticed a dramatic drop in spam emails since last May, I’d be surprised.

Apart from website and CRM issues, there are other long-standing security and data processing problems in the hotel business.

For instance, it remains common for luxury hotels and travel agents to email booking forms to clients and request preferences and credit card details as part of the booking process.

This is often provided in PDFs and emails without any obvious security in place, with hard copies also being held.

If cyber criminals just need to hack into a reservations email server to harvest high net worth individual’s credit cards, the industry has a long way to go to get its house in order.

Using security and privacy to gain competitive advantage

For those who have invested in the right systems and processes, perhaps privacy could become a highly valued competitive advantage?

There are certainly audiences who would value privacy and security today, including the very wealthy and famous who have traditionally demanded discretion.

But demonstrating good data governance and compliance will become table stakes in the future.

We think that this will mean going way beyond promising customers that their data will not be shared with any third parties.

Even knowing that they have the right to delete their data at any time and that it will not be used for any algorithmic “learning” is academic in the face of what unscrupulous individuals will do if they get hold of this data.

Securing systems and compliance with GDPR are simply the first two steps, but both need to be part of a full review of how every travel brand uses customer data for marketing and enhancing customer service.

It’s in every travel business’s self-interest to provide secure, compliant and trusted customer data management, because if you get it wrong, it is not just the fines that will be punitive, the damage to your brand reputation may be irreversible.

For those that have halfheartedly complied with GDPR, it’s time to wake up to the true cost of customer data.

Leave a Comment