The amount of personal data collected by businesses, including Australian Hoteliers, is astounding.
Just think about your own smartphone usage; when signing-up for an app like Uber, you might use your Facebook login for ease, which means has Uber access information such as contact details, friends, location and more.
In return, Facebook can access details on a customer’s travel patterns. However, with the implantation of restrictive data protection laws such as the EU’s GDPR rules, and updates to the Australian government’s own Privacy Act 1988, this kind of unchecked spread of consumer is set to change and offer people a right to be forgotten.
What is GDPR?
GDPR is an acronym for General Data Protection Regulation. It is an EU regulation that will come into effect on May 25, 2018 and generate the biggest changes in data protection in the EU since 1995. GDPR was created to bring as much uniformity into data protection as possible and is a regulation far better suited to the challenges today’s digital world poses.
In many cases GDPR will apply to businesses, including local accommodation providers, not actually based in the EU as well. For example, even if you are operating an upscale eco-lodge resort based out of Queensland, but are monitoring the behaviour of guests that takes place within the EU, such as booking trends out of France, you must comply with the requirements of GDPR. It even applies to website visits from users that are in the EU, regardless of whether they are EU citizens or not.
What is a right to be forgotten?
New data protection laws, such as GDPR, pose significant challenges for local hoteliers as they include provisions around a guest’s ‘right to be forgotten’. In practical terms, a right to be forgotten means that any person your hotel holds information on (be that an email address for a newsletter, or customer details for a loyalty / rewards program) can ask you, at any time, to forget everything you know about them. Forever.
On receiving a right to be forgotten request, a hotel must then take all steps necessary to remove all customer data they are holding. While there are some exceptions, such as if the data if the data is needed for a legal claim, most of the right to be forgotten requests a start-up receives will have to be actioned.
What does it mean for Australian hoteliers?
On the face of it, a person requesting that your accommodation business deletes all of their personal data may seem like a simple request— just delete a record when asked. However, the reality is very different. In many hotel groups data is not always held in one system so ‘removing that record’ swiftly becomes ‘removing multiple records’, especially for hotel groups with multiple properties around the country and different systems. To complicate this further, the process itself could be initiated through a range of channels such as website, direct email or mobile application. Regardless of where the request comes from, it’s important that the process remains the same across the business.
When your hotel is looking to build its own ‘right to be forgotten’ process, you need to consider four specific items: The mechanisms that the customer can interact with to initiate the process; the mechanisms for removing the customer’s data; the audit trail; and the reporting mechanism to the customer (e.g. email notifications of the deletion process).
Further complicating matters is the fact that Australian hoteliers often work with outside agencies to help market their properties and services to existing and potential guests. In these instances, customer data may not only be in multiple systems and locations within a business, but data may be held by other external organisations as well.
To ensure that you know exactly where customer data is when working with third parties, it is important that all hotels follow proper process. The process starts with identifying the systems and channels that the external partner is working with for you, such as marketing software. Hotels should also be able to understand who is gathering guest data, at what point, for what purpose and where it is stored so that any gaps can be identified and resolved.
Meeting the challenge
In an interconnected world where every online interaction is collected, recorded, analysed, and companies often know more about people than they know about themselves; governments are developing regulations that restrict how, when and where all businesses collect data. Ensuring that your hotel has the right processes in place to assist customer requests around their data, including the right to be forgotten, is a challenge all local accommodation businesses must address.