What do these big names have in common? Google, Marriott, Dixons, Fifa, Uber, and Facebook…they’re some of the top organisations who’ve been accused of serious data breaches since GDPR came into force last year.
Many other organisations are also still struggling to grasp the data legislation – so is there something hospitality businesses need to learn from the big boys’ experience?
The Cambridge Analytica scandal caused Facebook costly reputation damage, but it is now obvious that the amended regulations are hitting companies in their pockets.
The most recent recipient of a GDPR-related fine is Google, who had to pay a £44m fine imposed by France ’s data watchdog.
Given that the maximum fine is 4% of global turnover, you could say this was a relative bargain – it could have been £3 billion it could have been.
So what did Google get wrong? They failed to meet GDPR’s requirements on transparency, and also didn’t prove a lawful basis for processing the data.
Why this matters for you
You could argue that the authorities are only going after the big boys – but don’t fall into this trap.
While some cases are high profile, the regulatory authorities are also prosecuting smaller companies.
In fact, the Information Commissioner’s Office), which enforces GDPR and other UK data protection laws, has prosecuted no fewer than 180 organisations in the last two years.
Some of these companies and individuals were, it must be said, actively involved in dodgy practices such as cold-calling or email spamming.
But many who were prosecuted were just negligent when it came to storing and processing data. The list of enforcement actions makes chilling reading because it includes organisations that should definitely know better.
What does this means for the hospitality sector?
The hospitality industry is highly vulnerable to the impact of GDPR. Your restaurant management software or PMS could be storing gigabytes of ancient data including booking data, enquiries for weddings or even brochure requests.
Perhaps you don’t hold as much data as Marriott, but the law does worry about the size of the database that has been breached. The ICO has successfully prosecuted individuals for much smaller infractions.
A recent survey actually found that in two months after GDPR was introduced, 45% of hospitality businesses had neglected to cleanse IT equipment before getting rid of it.
The research, which surveyed 1,002 UK employees, also discovered that 97% of hospitality businesses had no official process for disposing of IT equipment, with the same percentage saying they would not even know who to approach within their company to do so.
Hospitality – is it one of the most guilty industries?
IT service provider Probrand group commissioned the survey and named hospitality as one of the “most guilty industries” together with transportation, sales, and marketing, manufacturing, utilities, and retail.
Because the industry is built on customer service, a breach could not only damage turnover but also ruin your reputation – your once-loyal customers will no longer trust you with their data, which can affect your marketing.
It’s more than hard drives you need to be wary of. You can be ultra-stringent in your data cleaning processes yet still get caught out.
How? As an organisation processing data, you need to pay a registration fee to the ICO or face a fine that could be up to £4350.
Take at least the following steps:
- Get customers’ consent for all data you hold
- Appoint a Data Protection Officer
- Carry out a Data Protection Impact Assessment
- Remember to document any data breaches fully
- Be respectful of ‘the right to be forgotten’
- Make the most of restaurant management software for data control
So if you want help getting up to speed on GDPR, we’re here to offer our help and guidance on best practices.
* Can restaurant management software and hotel management software boost your business? Of course – see how.