Authors
Authors
Read time: 3 minutes
Privacy law compliance has never been a simple task for the hospitality sector, with its large datasets of customers from all over the world, international operations, and marketing and loyalty programs. Many hospitality companies have invested millions in compliance efforts already. And as some laws reach maturity and others around the world are on the cusp of coming into force, what must the sector prioritize and focus on now?
Data Storage & Protection
Keep an eye on the basics
While headlines scream out details of the latest multimillion-pound fines, it is important to keep the focus on day-to-day privacy compliance basics. Compliance issues may not result in the highest fines, but the most regularly enforced area (which goes to the heart of brand loyalty and customer database value) is non-compliance with basic direct marketing rules, and those rules have been around for decades.
Keep on top of security measures guidance
Many privacy laws have vague obligations to have “adequate measures” in place to protect the security of personal data. The laws leave it unclear to those in the hospitality sector as to what exactly is adequate and how far they should go. Accreditations such as Cyber Essentials or ISO 27001 can be useful at a general level, but it is important to keep an eye on guidance and recommendations as to what the regulators expect. New ransomware guidance from the UK’s Information Commissioner’s Office (ICO) and the International Enforcement Co-operation Working Group on credential stuffing provide good examples, practical guidance and insight into how to achieve compliance if an incident has to be reported.
Human error remains the greatest vulnerability
Approximately 80 percent of all personal data breaches are not cyber-related (according to statistics from the UK’s ICO as of October 2022). Emails and other correspondence sent to the wrong recipients are actually the main culprits. Companies with large customer service teams will always be ripe for issues, so training, recording, repeating training and putting in place guardrails to prevent common issues, such as bulk sends, will save time and money in the longer term. Tech threats may change, but human vulnerabilities are ever-present.
International laws require a flexible program
The General Data Protection Regulation (GDPR) may nearly be old enough to start school already, but countless new privacy laws around the world are only just being born, and the birth rate is soaring! With a lack of uniformity even on whom rules apply to and whom they protect, the lack of harmonization forces international hospitality companies to bring some sense and structure through a centralized but flexible privacy program.
Don’t create a paper mountain of detail that can never be gone through and only provides a record of things left half done. Focus instead on setting key pillars for compliance, offering a high baseline of protection across the business that you can scale up or down as local laws change and emerge. Create a spine of excellent basics and add in detail only where it is needed and moves the dial.
Authors