GDPR: are foodservice and hospitality firms prepared?

General Data Protection Regulation (GDPR) will come into force across the European Union on 25 May 2018. Is your business ready? Tom Lawrence looks at the implications

It’s no secret that the online world is teeming with data sharing. And the hospitality sector is no different in that regard. If you’ve visited a website recently only to see an advert for that website inexplicably pop up later on social media, or received content recommendations tailored to your interests as if by magic, you’re witnessing the end point of a long-winded data journey.

“Sites survey the length and frequency of your web visit, the preference boxes you select, and any information you make available,” says Kory Willis, senior director of IT, Impartner. “Many sites share your information with hundreds of other third-party entities.” While some of these help to provide a more customised internet experience, others are not so scrupulous.

New obligations

Now the European Union (EU)’s landmark General Data Protection Regulation (GDPR) legislation is cracking down on the worst excesses of data sharing. Once enforced, GDPR will introduce new obligations on lawful and secure processing of all personal data held by businesses. Consent has been touted as the watchword of GDPR, but there are five additional “bases” on which lawful data processing can be achieved – via contracts, legal obligations, vital interests, public interests and legitimate interests.

Ad

It’s a move with worldwide implications. Any company that does business in the EU will have to comply with the new rules. While the aforementioned bases offer a number of ways in which this can be done, firms flouting the opportunity to overhaul dubious data practices now face huge fines after the 25 May deadline.

Cambridge Analytica’s use of sensitive personal details to skew election and referendum results has dominated headlines in recent weeks. Web users are waking up to just how much of their information is held by businesses and the ease with which this information can be unwittingly used against them. Under GDPR, cavalier use of data should become more difficult.

But what’s the foodservice and hospitality perspective on this? Is the clamour around GDPR really relevant to businesses for whom the byzantine ritual of digital data sharing barely registers?

Foodservice, hospitality and GDPR

On the one hand, unless you have a sprawling digital presence comprising circular emails to obscure lists and websites with pre-ticked consent boxes, GDPR will not be the watershed moment many commentators are anticipating. Restaurateurs, hoteliers and caterers are unlikely to be making online mistakes at the kind of scale where GDPR is set to bite.

On the other hand, smaller firms lacking oversight of what they’re sharing or storing via a data protection officer could be most at risk. “GDPR applies to companies large and small, but small businesses may not realise just how much information they’re storing about their customers or their own employees,” says Willis.

This means reviewing data practices of all kinds, not merely the obvious spectre of flaunting flaunting customer details. Bad offline habits aren’t necessarily exempt. “Every time an employee joins your organisation, you must make sure that their legal, financial and personal information is stored compliantly,” Willis points out. “And, once they leave, employees have the right to ask to see all the information that you have, or to ask that the information be fully deleted.”

GDPR also represents an opportunity for CEOs to take stock of whether their own digital footprint is leaving them exposed online. As well as raising the bar for proper online practice, GDPR will increase the scope of what data is protected to hitherto unregulated realms like social media and location information. With internet users likely to face what Willis calls a “barrage of consent forms” come 25 May, business owners may be shocked by their own unwitting trail of data.

“For some users it could be startling to realise just how much information their favourite sites have been sharing with monitoring tools they never knew existed,” says Willis.

The other perspective to consider is the consumer view. “I don’t think people are going to stop accessing sites that they’re accustomed to visiting”, says Willis. However, he also notes that studies show users are wary about consent forms; firms failing to show due care and sensitivity around the consent issue following GDPR’s enforcement could be setting themselves up for trouble. It’s an important point for foodservice and hospitality firms of all kinds with an online presence. Balancing user experience with the need to acquire explicit consent will be challenging but crucial in GDPR Europe.

What should businesses do?

Even for firms with a limited digital presence, GDPR could create new hoops to jump through. If you’re holding any kind of data on your customers or thinking of ramping up your online presence in the near future, there’s a new legislative climate to consider.

There are, however, some neat ways to avoid falling foul of the legislation. Businesses can continue their day-to-day operations unhindered providing they have shown a concerted effort to bring themselves in line with the legislation. It’s only the most egregious offenders who risk financial penalties.

“Organisations large enough to support a data protection officer should absolutely appoint one”, says Willis. “Small businesses should choose a point person to handle questions of data privacy and protection.” It’s sensible advice for firms operating outside the EU as well as within it. The foodservice and hospitality industries are increasingly integrated, with transnational supply chains and global audiences. Firms would do well to harness their data before it gets out of control.

These are cautionary warnings for consultants, ones that seriously need passing on to digital-savvy clients. Nevertheless, Willis leaves on an optimistic note. After all, the opportunity to re-establish trust with consumers is not to be sniffed at. “This regulation was passed for the benefit and protection of all internet users,” he says. “Businesses should not see this as a burden, but a promise of fair and transparent use of data.”

Thomas Lawrence