Guests, their data and European law
OVER THE last few weeks, almost every European citizen who has ever used the Internet to buy goods and services, or who has ever provided their personal details when seeking information from a website, has been bombarded with requests to allow the supplier concerned to retain and use their data in an agreed manner.
Companies from major airlines, such as British Airways and KLM, to law firms, hotels and even companies that may never obviously have been in contact, have been sending emails in various and often confusing formats which seek permission to retain and use whatever personal information they hold on their corporate databases.
This has happened because on May 25 a European Union law, the European Union General Data Protection Regulation (GDPR), came into force. The regulation provides advanced levels of protection to citizens in relation to the data that companies hold on individuals. Its aim is to safeguard EU citizens’ personal information.
In outline, the GDPR requires all entities whether in Europe or internationally who hold EU citizens’ data, to obtain their consent for its processing; collected data to be anonymised to protect privacy; client notification of all data breaches; and the guaranteed safe handling of data transfer across borders. Failure to observe could lead in the most serious cases to fines of between €10m to €20m (US$12m to US$24m) or two to four per cent of turnover, whichever is greater.
While the GDPR does not restrict companies from using whatever data they hold, it provides EU citizens with legally enforceable rights about how their personal information is handled.
The issue is of growing importance to consumers, given recent corporate security breaches, the loss of personal information, and the development of personal profiling for political purposes, using accumulated data.
For the hotel sector in the Caribbean, and those that it contracts to sell-up or provide addon products and services, whether based in the region or elsewhere, it means that all concerned become legally responsible for holding and transferring EU citizens data securely.
According to Frank Comito, the director general and CEO of the Caribbean Hotel and Tourism Association, the hospitality industry is particularly vulnerable to data breaches. In a recent statement, he pointed out that it has multiple points at which customer data is exchanged, from reservations and payment processing to rewards programmes and guest services. He noted, too, that the new regulation means that any client who requests their removal from a property’s database must inform them they are doing so and the time frame which it will happen.
Although the new regulation came into effect on May 25, no Caribbean hotel at which I have stayed – there are many of them – or any other tourism-related entity in the region has contacted me to request my permission to retain or use the information that they quite legitimately hold. In contrast, others, from The Washington Post to a favourite restaurant in an obscure part of rural Britain have made contact to ensure they are in legal compliance.
It is far from clear why this should be. Is it because the Caribbean hotel sector believes a data breach is impossible, they feel they have nothing to fear from remotely introduced regulations, they are confident their insurance policies might cover them against any future legal action, or because they believe this is yet one more administrative burden of marginal consequence?
If this is the case, they have failed to see that, potentially huge fines and legal costs apart, far more damaging will be the negative publicity that ensues and the potential for reputational damage if for whatever reasons they lose or misuse, by default, a client’s personal information.
Hoteliers and others in a notoriously once freewheeling industry may not like what is in effect a form of extraterritorial legislation, but the use of personal information for marketing and its safe retention are what today’s security-conscious traveller requires.