How a non-compliant breakfast could cost hoteliers dearly

Did you miss the headline fine dished out to Marriott by the Information Commissioner’s Office this year? A whopping £100m for the loss of personal data including credit card details, passport numbers and dates of birth stolen in a massive global hack of guest records.

 

In fact, our previous blog explored this breach and its consequences for hoteliers. Most startling, the fact that two-thirds of hotel websites leave guests’ personal data exposed to hackers.

 

While Marriott has stolen the limelight for hotels hit by GDPR enforcement, they aren’t the only hoteliers coming under the cosh. We were alerted to an interesting case of non-compliant breakfasting by travel blogger One Mile at a Time that left us thinking about the myriad GDPR challengers this industry comes up against. 

 

On July 2nd the World Trade Center Bucharest’s Pullman hotel was fined 15k Euros by the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP).

 

A photograph was taken without the guests’ permission that showed a list of 46 names of those booked in for breakfast at the hotel. That was all it took for the hotel to have to hand over thousands in fines. 

Here’s the summary from EnforcementTracker.com:

 

 – The breach of data security was that a printed paper list used to check breakfast customers and containing personal data of 46 clients who stayed at the hotel’s WORLD TRADE CENTER BUCHAREST SA was photographed by unauthorized people outside the company, which led to the disclosure of the personal data of some clients through online publication. The operator of WORLD TRADE CENTER BUCHAREST SA has been sanctioned because it has not taken steps to ensure that data is not disclosed to unauthorized parties – 

 

You can imagine this scenario play out across so many functions. From travel arrangement lists, event guest lists used on the door, to breakfast, lunch and dinner! How would you feel coming up against a 15k fine for non-compliant printouts?

 

It goes to show that it isn’t just high-profile hacks that can land hoteliers in hot water when it comes to GDPR. Proper data protection encompasses the whole business – not just email marketing permissions or hack precautions.

 

With this in mind it is essential to track and respond to any potential business practices that can lead to breach. This should go hand in hand with staff training and awareness. As this latest example shows, an employee armed with a printer could see your business end up on the register of GDPR offenders – and cost you a lot more than the price of a free breakfast…

 

 

If you are struggling to identify the weak links in your GDPR strategy get in touch to find out how we can help shore up your defences with our bespoke auditing services. 

 

Facial recognition technology at events – next generation nightmare?

Event professionals aren’t often given the recognition they deserve – it’s a catch 22. If you do the job well the hours of behind-the-scenes planning, prep, sweat and tears are often taken for granted.

 

This is a profession that demands creativity and the ability to analyse and problem solve for almost any eventuality! When technology comes along that promises to solve your most troublesome pain points it’s no wonder it’s met with open arms.

 

And this time, we are talking about live facial recognition.

 

Revolutionary, innovative, exciting? Or, invasive, insecure and maybe even illegal? Here we dig into the reality of facial recognition and what it means for events professionals on the front line.

Event attendee smiling at camera

Why use facial recognition technologies?

 

Many of us are already used to using facial recognition in our lives, with most of the latest smartphones scrapping unlock codes for a scan of your profile. Similarly, many airports and border checks deploy the technology for safety and crime prevention; in the UK we are encouraged to use epassport gates powered by facial recognition over and above manned border controls.

 

Similarly, as this blog from EventsAir summarises, there are several reasons why the hospitality industry are excited about the potential of live facial recognition. Quicker check-in, enhanced safety, data and insights, personalisation and convenience to name a few. While still in its infancy there is already talk of how next-level biometrics technologies could be deployed within events. Imagine being able to analyse en-masse when people are hungry, dehydrated or tired and in need of a break?

 

The ability to analyse and tailor events based on detailed metrics is very exciting.

 

Here comes the but…

king-s-church-international-3mjspmQDM_M-unsplash

Live facial recognition and the law

 

The introduction of GDPR put a firm stake in the ground when it comes to such biometric analytics.

 

Following the deployment of live facial recognition by South Wales Police for the purpose of crime prevention and detection, Elizabeth Denham, UK Information Commissioner wrote an uncompromising blog. She explained that live facial recognition technology, no matter the purpose for which it is deployed, is subject to data protection legislation.

 

Under GDPR biometric data is classed as a ‘special category’ and so requires even greater protections. The legislation doesn’t preclude use of facial recognition technologies but is very clear about the permissions and parameters that apply.

 

From ‘explicit consent’ to ‘appropriate safeguards’ the GDPR lays down the conditions under which live facial recognition can be used legally. While it’s clear that data protection law applies to facial recognition, deciphering the legislation is a challenge in itself!

 

It’s worth noting too that GDPR doesn’t just apply to events taking place in the EU, but to any EU subject no matter where they are. Planning for an event with EU attendees in California or Brisbane still requires you to comply with GDPR. Whether using state of the art technologies such as live facial recognition or biometrics or simply processing personal data in more conventional ways, GDPR should now hold top billing in relation to event prep.

Don’t assume attendee attitudes to facial recognition

 

These technologies are the subject of much debate, with Amazon recently under pressure by activist shareholders concerned about the direction of its ‘Rekognition’ software. In China there are shocking reports of the state using facial recognition to track and target ethnic minorities.

A study by the Brookings Institute in September 2018  suggested that around half of Americans wanted law enforcement to be limited in their use of facial recognition technologies. 42% agreed that it invaded personal privacy rights. However, some studies suggest that people are more open to facial recognition technologies – especially where it concerned issues of safety and security.

 

It’s important to consider how any potential use of facial recognition at public events are justified to attendees – not just to gain individuals’ explicit consents but also to reassure and educate.

 

With our decades of experience in the events and hospitality industry we know the demands placed on event pros. Importantly, we understand how GDPR applies to the events industry and the additional challenges it places upon colleagues.

 

If you’re worried about data protection and compliance with GDPR, get in touch and let’s chat.

Five ways in which GDPR compliance drives better business

Over the past twelve months four little letters have sent a shiver up the spine of business leaders. Can you guess which ones?

 

Yes it’s ‘GDPR’, the EU’s General Data Protection Regulations that came into force in May 2018. In the run up to this deadline doomsday headlines dominated. From the potentially huge fines for breach, to predictions of regulators gearing up to smite businesses small and large indiscriminately.

 

Unfortunately in among the fear-mongering, a massive opportunity was missed. What the GDPR pundits failed to report are the very real business benefits of compliance with the new data protection regulations.

 

In fact, good data protection practices don’t just safeguard against the prying eyes of regulators. They make you do better business, helping to revolutionise the way we use, process and harness the power of data.

 

Here we explore how you can increase your competitive advantage by going beyond GDPR compliance to make your data work harder and smarter.

 

1) GDPR makes you get a grip on security

 

 

88% of data breaches are not as a result of cyber attack, or poor technology – it is because human error. Whether emailing sensitive information to the wrong recipient, storing data in unsecure locations or losing paperwork, it’s the people in your organisation that are the biggest threat to data.

 

The GDPR is very clear about who should have access to sensitive personal data through access management policies and procedures. Businesses need to make sure that personal data can only be accessed by the right people in the organisation, for the explicit purpose for which that data has been collected or stored.

 

In short, the GDPR limits who can access personal data, and why – and those who do have access require training and knowledge of the responsibilities of handling it.

 

The fewer people who access sensitive data, the less the risk of human error leading to data breach.

 

2) Privacy by design means secure, cross-border business

 

 

With GDPR applying to anyone doing business in the EU, the reach of the regulations extends across the world. While some see this as a burden, we should really consider the positive ripple effect that the EU’s robust approach to data protection sets in motion. In fact, other regions are following suit – with Brazil echoing much of the regulation, and discussion on how the US will respond to the need for greater protections.

 

Organisations operating across EU borders should find solace in the fact that the partners they depend on are governed by GDPR. With the regulations designed to encourage businesses to implement privacy by design, it places the onus on organisations to be stringent about data-protection at every step. That includes in its dealings with third party suppliers and partners.

 

Demonstrating proactive GDPR compliance shows you are geared up for the global marketplace, that you can be trusted, and are aligned with your international partners.

 

3) Data protection creates greater customer confidence

 

 

60% of consumers are aware of GDPR, and with headlines of high profile fines for organisations found in breach, awareness will only grow. At the same time, 48% of UK adults planning to activate new rights over their personal data.

 

Demonstrating a proactive, open and encompassing approach to data-protection shows customers you take their concerns seriously, and respect their autonomy in relation to data. In fact, the number of consumers who say they are happy to share their data if they trust the company has nearly doubled between 2016 and 2018, from 16% to 30%.

 

Never mind the fallout from being found in breach of GDPR, focus on the advantage you gain in complying – and being vocal in your support of the foundations of the regulations. Earning the trust of your customers is priceless, while the cost to comply is negligible in comparison.

 

4) GDPR delivers better marketing ROI

 

 

One of the pillars of the GDPR is that organisations need a data subject’s consent to process personal information. By cleansing your databases of those who did not opt-in you immediately hone your target list to relevant and engaged clients. With a cleansed database it is much easier to experiment with tailored and targeted marketing messages and tactics that speak to your audience.

 

By adopting such a targeted approach, through the use of ‘clean’ data not only are you complying with GDPR, but you will find higher conversion rates can be achieved from your marketing efforts. Cleanse data, understand your audience and watch your marketing budget work harder.

 

5) GDPR compliance will improve your bottom line

 

 

Quite simply, complying with GDPR won’t just improve your security practices, data handling procedures and marketing output – it is showing direct impact on organisations’ profitability.

 

Our partners Port.IM recently reported that the impact of GDPR compliance can result in up to 30% sales growth. This is as a result of increased trust and secure management of privacy.

 

Whether improved security, strengthened customer trust, borderless commerce or improved targeted marketing efforts, GDPR isn’t a rod for our backs, but a tool for better business.

 

Whether you are at the start of your GDPR journey, or are seeking insight on how to assess, test or improve your systems we are here to offer our expertise.

 

Get in touch to discuss how we can help turn compliance into better business!

Transform subject access requests into better business with Port Engage

The General Data Protection Regulation has had a huge impact on the rights individuals have to access personal data held by organisations about them.

 

Under GDPR transparency between data subject and data controller is a core principle. Infringements of data subject rights attract the highest financial penalties as well as empowering the regulator to stop businesses processing data at all.

 

With increased awareness and consumer concern over data privacy, research has shown that 48% of UK adults plan to activate these new rights over their personal data.

 

For organisations dealing with this deluge of subject access requests, the challenge is two-fold:

 

  • Streamlining processes to ensure cost-effective compliance

  • Transforming subject access requests into a valuable customer touchpoint

 

In response to both these challenges, along with our partner Port.IM we are launching a dedicated subject access solution – Port Engage.

 

Port Engage enables customers to instantly access the data held on them by an organisation via a simple online portal. For businesses this means instant, guaranteed compliance with data protection regulations and a tangible opportunity to build trust with their customers.

 

Vitally, for customers it provides proof of an organisation’s dedication to transparency and respect in relation to personal data.

 

Learn how Port Engage works

 

“By far the most important factor for consumers in deciding to share their personal data is whether they trust the relevant organisation. Trust in an organisation or business remains the dominant prerequisite when engaging consumers within the data economy.”

Data & Marketing Association

 

What Port Engage offers you and your customers

 

Your customersYour business
  •  Instant access to personal data
  •  Instant compliance with subject access   requests
  •  Simple, customer-friendly portal
  •  Remove threat of missed deadlines in   respect of subject access requests
  •  Proof of dedication to transparency
  •  Proactive transparency
  •  Greater understanding of benefits of   sharing personal data
  •  Strengthen customer trust
  •  Assurance of compliance with GDPR
  •  Valuable customer touchpoint
 
  •  Demonstrate how data is used for   customer benefit (e.g. Loyalty Schemes)

 

Designed with hospitality in mind

 

As experts in GDPR compliance for the hospitality industry Port has built Engage to support their data-driven clients achieve more from guest interactions. Alongside Tenax’s specialist experience in this industry, we’ve chosen Port Engage as our partner, answering the very specific needs of our clients.

 

Research by American Express found that 83% of millennials said they would happily let hospitality brands track their digital patterns if it meant more personalised experience.

 

To benefit from customers’ desire to engage and share data it is vital that it is done with full regard to the GDPR, with full, demonstrable and transparent consent.

 

Using transparent solutions such as Port Engage means hospitality brands can offer personalised experiences built on a foundation of compliance – leading to better business and more loyal customers.

 

Contact Bruce Smith for more information on how we can help you and your customers get more from data, while remaining compliant with regulations.