New regulations on storing and using customer information will have major implications for hospitality businesses, writes Brian McCulloch
NEXT year’s General Data Protection Regulation (GDPR) will have big implications for businesses across Europe – and Scottish licensed trade and hospitality businesses are no exception.
The new directive is aimed at increasing control and privacy of data that could be used to identify EU citizens and will regulate any business that deals with those citizens’ data, whether they actually operate in the EU or not.
With the UK creeping closer towards Brexit, these regulations might not seem so important. However, the UK government has made it clear that it intends for UK law to mirror the EU’s when it comes to data protection, so we still need to take note of the changes.
A key feature of GDPR is that data subjects (EU citizens) must give free, informed and unambiguous consent to businesses to allow their data to be processed, by a ‘statement or by a clear affirmative action’.
This means that if you have emails from online customer bookings, you can’t keep that data for email marketing unless the subject has freely chosen to give you their consent. Businesses must also keep a clear record of who consented, when they consented, what they were told, how they consented and if they have withdrawn consent.
Another key change that could affect Scotland’s hospitality industry is the strengthening of individual rights with regards to their data, especially the strengthening of the ‘right to be forgotten’.
This means that businesses have to be able to completely erase data if a subject doesn’t want them to have it.
A consequence of this is that many businesses will need to tighten control of their databases and ensure that all employees know the procedures for recording customer data correctly.
There are some practical steps you can take in preparation for the new regulations that will stop the risk of you being caught unawares come the spring.
After many years in the information security industry, I’m convinced that one of the biggest reasons that businesses will be caught out in the early days of GDPR is historic data.
The new directive requires businesses to know exactly when and how consent was obtained for data processing, as well as if and when that consent was withdrawn.
For many businesses, this poses a problem.
One company was reported to have deleted its entire customer email database. And while that might seem extreme, some companies will likely follow suit in deciding that the best way to stay safe with GDPR is to get rid of everything and start again.
Not every business in the hospitality industry can afford to forget their existing customers, but nearly every business can and should audit their existing data to see if it will pose a problem when the new directive comes into force.
Data that you don’t need or you know you didn’t obtain consent to process should be deleted if digital, and safely destroyed if it exists in hard copies. Err on the side of caution – if you have any doubt over your permission to retain information, get rid of it.
Where you have data that you’re happy to keep, make sure that you record as far as possible how and when it was obtained. A hallmark of companies that ride GDPR’s opening months out successfully will be good organisation.
Everyone in the business who has any contact with customer data should be aware of the processes for recording new data entries and dealing with old, unnecessary data.
You might consider appointing and training a ‘GDPR champion’ – your whole business will benefit from having someone there who knows anything and everything about compliance with the new regulations.
Whatever you do, act quickly because time is running out.
GDPR is only months away from coming into force, and we expect authorities to crack down from the start.
Preparing for the new directive now, by auditing your old data and assigning someone to learn about the regulations and review your security processes, will put you in good stead for when the changeover happens.
If you can get something in place before the new year, you’ll be in a good position come the spring.
• Brian McCulloch is branch manager at Shredall Scotland.