What do Google, Dixons, Marriott, Fifa, Uber, Quora and Facebook have in common? On the face of it not much – but they’re just few of the famous organisations which have fallen foul of serious data breaches since GDPR came into force in May 2018.
And with many other organisations still struggling to get to grips with the data legislation, is there something hospitality businesses need to learn from their experience?
The Cambridge Analytica scandal may have caused Facebook some serious reputational damage and some tricky scrutiny, but it is now apparent that the regulations are hitting companies where it hurts most – their wallets.
The most recent and largest recipient of a GDPR-related fine is Google, hit with a £44m fine by France’s CNIL data watchdog.
Although this seems a lot, given that the maximum fine is 4% of global turnover it is a relative bargain compared to the £3 billion it could have been. It remains to be seen what the long-term effects on Google’s reputation could be.
What did they do wrong? They did not meet GDPR’ transparency requirements, and didn’t prove a lawful basis for processing the data.
Why this matters to you
If you’re complacent, you could argue that the authorities are only going after the big boys – you can’t get bigger than Google or Facebook – but don’t fall into this trap.
While these cases are high profile, it would be dangerous to assume that the regulatory authorities are not prosecuting smaller companies.
The Information Commissioner’s Office (ICO), which enforces GDPR and the pre-existing data protection laws in the UK, has prosecuted 180 organisations in the last two years.
Predictably, some of these companies and individuals were actively involved in shady practices such cold-calling or email spamming millions of people.
However, many who were prosecuted were simply negligent in their processes of storing and processing data. The list of enforcement actions makes sobering reading as it includes organisations that should really know better.
What this means for the hospitality industry
The hospitality industry is not immune to the impact of GDPR. Your restaurant management software or PMS may be storing gigabytes of old data such as booking data, enquiries for weddings or brochure requests.
You may not be holding as much data as Marriott but the law does not differentiate on the size of the database that has been breached or who is breaching it. The ICO have successfully prosecuted individuals for much smaller infractions.
In fact, a recent survey found that in the two months following the introduction of GDPR, 45% of hospitality businesses neglected to wipe IT equipment before disposing of it.
The research, which surveyed 1,002 UK workers, also found that 97% of hospitality businesses did not have an official process for disposing of obsolete IT equipment, with the same percentage saying they would not know who to approach within their company to do so.
Hospitality – among the most guilty industries
IT service provider Probrand group, which commissioned the survey, named the hospitality sector as one of the “most guilty industries” alongside transportation, sales and marketing, manufacturing, utilities and retail.
For an industry built, literally, on customer service a breach could not only hurt your turnover it can also damage your reputation as well as meaning that your once-loyal customers will no longer trust you with their personal data which can have a longer-term impact on your future marketing efforts.
It’s not just hard drives containing personal data that you need to be wary of. In fact, you may be ultra-stringent in your data cleaning processes and have security down to a “T” yet still get caught out.
How? A little-known fact that can catch the unsuspecting is that as an organisation processing data you need to pay a registration fee to the ICO or face a fine of up to £4350.
We recommend you do at least the following:
- > Get customer consent for all data
- > Appoint someone to act as a Data Protection Officer
- > Perform a Data Protection Impact Assessment
- > Remember to document data breaches
- > Respect the right to be forgotten
So if you need to get up to speed on GDPR we’re happy to offer our help and guidance on best practices.
* See how restaurant management software and hotel management software can boost your business.