GDPR, the Hospitality Sector and CRM

The hospitality sector needs to be on its mettle, as General Data Protection Regulation (GDPR) comes into effect on May 25 2018.

Accommodation and hospitality providers in possession of information relating to previous guests and customers, perhaps in the form of addresses, credit card details, date of birth and passport number, must safeguard and justify the retention of such data as from May 26.

They must demonstrate a reason for requiring the data and provide details of how it is protected.

Once GDPR arrives, any former guest or customer has the right to ask for details of any of their personal information you keep on file and request that it is either modified or deleted. You have one month to answer their queries and two months in which to delete data, if asked to do so.

Experts believe many people will ring or contact businesses, just to check they are compliant. For this reason, hospitality businesses should quickly audit their data, ascertain where it is stored and highlight which devices and people have access to it. The audit should also detail how it is protected. Firms which do not comply can be fined up to 4% of global turnover.

This legislation is particularly problematic for hospitality businesses that have, as part of best practice, used customer relationship management (CRM) as a marketing and customer service tool. Being able to demonstrate an understanding of guests’ needs and preferences has allowed accommodation providers to delight customers, by placing their favourite flowers in their most-loved room, arranging for particular chocolates to be on the pillow, or remembering their anniversary in an email.

GDPR does not place a blanket ban on such use of data. The data holder is allowed to put forward legitimate reasons as to why they need the data, stating how long they intend to retain it. Delighting customers may provide sufficient legitimacy, but there will be degrees to this. If a guest has not visited you for several years, hanging on to their data may be unreasonable, as your facilities and other factors may have changed, making the preferences you had noted of no current use.

Venues need to particularly vigilant when it comes to data breaches, as these will not be tolerated. Hospitality businesses should put cyber liability insurance protection in place, so that it can be called upon should the worst occur. This may seem difficult-to-do, but with an expert’s help that is not the case. If you need such assistance, please get in touch.