How to be data compliant

Lewis Catchpole Friday, 17 August 2018, 11:06Last Updated: Friday, 17 August 2018, 11:07

4 minutes read

A) We have a lot of regular bookers and a fairly good year-round occupancy rate, but my marketing person convinced me to send an email newsletter to our past customers, encouraging them to revisit. I got quite a strongly worded email from one of the contacts asking how I got their data and spouting a lot of facts about data compliance. Ultimately, he had opted into our communications, but didn’t remember; however the email did shake me up and I wondered what I should be doing to protect my business?

Q ) I’m not sure I will be able to do justice to the subject of data compliance in a single column, but I will do my best to provide a basic overview. Historically, there were two different standards of data compliance depending on whether the data you held was personal (B2C) or business (B2B). Personal customers have long been protected with unambiguous data opt-in laws, meaning the onus is on businesses to demonstrate where and how they obtained the data and that the customer gave them permission i.e. ‘opted-in’. B2B data on the other hand didn’t have anywhere near as much protection and so there was much more of a free-for-all.

In May 2016, this all changed, with the introduction of the ‘General Data Protection Regulation’ (GDPR) to the UK. GDPR is designed to strengthen and unify data protection within the EU and also protect data that is exported out of the EU; it is designed to give citizens back control of their data, and for the first time aligns B2B and B2C data on the basis that mobile devices have helped blur the lines between ‘personal’ and ‘business’ data. Although it was passed last year, it will become enforceable in May 2018, and legislates the administration, management and protection of your database.

GDPR applies to businesses of all sizes and you have no choice but to comply. As the majority of your database is B2C, it is likely that you already have many of the processes in place for compliance and are compliant, but here’s what you need to do to remain compliant:

It’s for all data:

Both existing guests and prospective ones. If a guest is emailing about an existing or potential stay, then you are free to communicate with them about your product, services, rates etc. specifically relating to their enquiry. Do not assume however that this also means you have consent to market to them outside of this relationship. You will still need them to ‘opt-in’ specifically for marketing messages.

Shift to ‘opt-in’:

Although we have been dealing with opt-in for personal data for many years, it hasn’t been necessary for business data. Now opt-in applies to both. Whatever you present to the customer to encourage opt-in must be unambiguous, i.e. they must be clear on exactly what they are agreeing to receive, and ‘inaction’ is no longer considered consent. For email addresses and mobile phone numbers it is no longer OK to take a ‘soft opt-in’ approach, examples of which include business card exchanges and sign up boxes on websites. Instead, all contacts must now have the opportunity to ‘double opt-in’ whereby a user signs up using their data, and then undertakes a further verifying process granting you full permission. If they do not complete the verification, then legally, they should now be deleted from the database. This means you are no longer allowed to include your data consent in standard terms of service, do ‘soft’ opt-ins or provide an opt-out box or pre-ticked opt-in box.

Brexit doesn’t matter:

Although the legislation is being adopted from the EU and we have now voted to leave, our exit will likely include trade agreements with European partners who will still be part of the EU, subject to this legislation, and expect the UK to do the same. What’s more, this legislation has been selected to supersede our own regulations, and so it is likely that it will be adopted verbatim as a common standard, even if we are not part of the EU.

As your data is primarily B2C, you should already be offering an opt-in process with verification and recording on your CRM system where, when and how you obtained their data. You must also have a process to support a customer’s ‘right to be forgotten’ so they can request to be permanently deleted from the database. If you are not already doing this then this is something you need to rectify asap or face fines of up to 4% of your annual turnover or €20m (£17.3m), whichever is greater.

It’s not all bad however and GDPR gives marketers and businesses an opportunity to build better, more meaningful relationships with their contacts and while the database size may reduce, the value of them should increase. Establish a process to contact the database, advise you are having a ‘spring clean’ and understand who still wants to be contacted; this can be incentivised and will also help build trust with customers. Update your internal processes for any new data too, and if possible, use it as an opportunity to gain more data from your clients, not less. If you haven’t already got one, a good CRM system is key.

This feature first appeared in the April 2017 issue of Hotel Owner.