Marketing 2:40 Min read
Is your hotel prepared to apply the GDPR?
The new General Data Protection Regulation (GDPR) has certain implications for hotels’ online activities.
What do you know about GDPR? The new General Data Protection Regulation has certain implications for hotels’ online activities.
What should you keep in mind?
Transparency when collecting personal data
In the past, under the DPD, consent could be deduced from a user’s action or inaction as the 1995 Directive allowed the possibility of “voluntary exclusion”. Yet with the GDPR, clear affirmative action by the person is required. Therefore, silence, pre-ticked boxes and inactivity do not equal consent.
Now, each time a user sends their personal data to the hotel, the hotel must make sure they do so after granting unequivocal and explicit consent. In other words, the consumer must provide their data willingly for specific and legitimate purposes and must be clearly informed of the actions that will be taken with the data without any ambiguity.
Consent must be “freely given, specific, informed and unambiguous”; in other words, with legal language explained “simply and clearly distinguishable from other matters”.
For example, a potential guest must give clear consent at the time of booking for the hotel to be able to use their email address in email marketing campaigns. Without this additional consent, the hotel may not use their email address beyond the booking.
Furthermore, if the hotel accepts credit card payments and intends to store, process and transfer the card holder’s data, it has the obligation of storing the data security and complying with the payment card industry data security standard PCI DSS.
A new email marketing strategy
One of the essential actions for hotels today is email marketing. This strategy makes it possible to keep the memory of their hotel brand alive as well as get contacts in their database to participate in a loyalty program which can increase direct bookings.
So, is the GDPR the end of email marketing? No. Not as long as users have granted consent for the use of their contact information for these purposes and actual campaigns are carried out.
But, is it more difficult to get these contacts? Yes, but on the other hand, it will be easier to identify a consumer’s interest in the hotel brand as they will have actively accessed. In other words, the new regulation establishes that users must “subscribe” voluntarily to receive email marketing information. In fact, hotels are required to prove their new contacts have granted consent for this purpose.
Therefore, with the aim of turning new contacts into leads (sales opportunities), the hotel business can only collect contact information that is essential and necessary for this purpose. If the quantity of data collected is considered unnecessary or excessive for this purpose, a violation will have been committed pursuant to the GDPR.
So, what steps must your hotel follow to have a database that is compliant with this regulation?
1. Data mapping
Especially now with the new regulation, it is important for all data to be protected. There are several online and offline channels a hotel can use to get its customers’ personal data and several different departments that manage these data. The recommendation is for these data collected to be stored securely.
2. Assessing security
With all the personal data for hotel contacts that may be located, the security must be tested and documented identifying any weaknesses that could be subject of cyberattacks. For this reason, it is perhaps necessary to implement encrypted coding and limitations of access to protect the data.
3. Updating old policies
All data protection policies such as the privacy, retention, destruction and breach management policies must be revised. Hotels must also make sure the companies they work with that also manage their contacts’ data comply with the GDPR.
4. Implementing new policies
As already mentioned, one of the implications of the new regulation is the conservation only of the data that are useful for the purpose for which they are collected. Thus, the hotel must validate and delete any non-essential data as well as inform contacts of any new policies and their rights.
5. GDPR compliance
To continue complying with the regulation, hotels must ensure knowledge thereof and guarantee there is a working method that applies the new legislation. All personnel with access to customers’ personal data must know what the GDPR is all about in order to guarantee effective application and compliance.