Instead of fearing GDPR, travel, transport & hospitality companies should embrace this opportune moment to fine-tune their data foundations, place the customer first and safeguard their bottom line.
Over the last thirty years, the Internet has been the biggest disuptor to the travel, transport and hospitality industry. From apps, aggregators and AirBnB to review sites and price-comparison tools – travel’s digital migration is almost complete. Last year, global online travel sales totalled $564.87bn (US). By 2019, we’re looking at $755.94bn. Today, more than 80% of world travellers book trips online.
But travel, transport and hospitality is more than bookings and revenue – it’s a world within a world. Expedia found that most travellers visit 38 websites before tapping in card details, while HuffPost believes 95% of US travellers read seven reviews before purchasing a trip.
The digital transformation of the travel industry is more than enabling travellers to research and book transport and hospitality online via a range of devices. However, each time a user browses, clicks, likes, shares, watches or reads they leave a data trail. And that data has become the lifeblood of the digital industry.
In 2015, the travel, transport and hospitality industry pumped more cash into online advertising than the electronics, media, entertainment and healthcare sectors. Travel is one of the biggest spenders in programmatic advertising, particularly video, and social media re-targeting. This is why, the coming of GDPR on May 25, 2018, redefining the parameters of consumer trust and privacy, represents the next great disruption to the travel, transport and hospitality industry.
A quick word on GDPR
GDPR is not just a beefing up of existing privacy frameworks – it’s a complete paradigm shift, asserting that personal data belongs to the individual. So, from May 25, 2018, organisations must be crystal clear when it comes to personal data and special category data: proving consent was given and explaining what data is being used for; how it’s protected, and how long it’ll be kept.
Non-compliance starts with a warning, but fines quickly escalate to €20m (or 4% of the previous year’s turnover – whichever is greater). Alarming as the penalties are, they may be a drop in the ocean when compared to reputational damage and the loss of customer trust. Take the recent example of Uber – who decided to cover up the theft of 57 million people’s personal data. If it were done in the GDPR era, this data leak would have resulted in a fine of $260M – or 4% of the company’s global revenue, which was $6.5B in 2016 – this would be significantly higher than the maximum penalties currently in effect (this is £500,000 in UK). Even without this massive GDPR fine, Uber still had to face a massive negative reputational impact as the story made the headlines across the globe.
Although there is no scientific data on GDPR readiness of travel companies, anecdotal evidence suggests that just 8% of companies are prepared, despite intervention and guidance by industry bodies. The industry is not unique. Other industries are also still finding their feet when it comes to GDPR. According to a CenturyLink study, just 25% of UK legal firms – who should be leading the charge – are GDPR-ready.
What do travel, transport & hospitality firms have to do?
Prepare. Ideally, they’ll already be well on the path to compliance because GDPR is real and it does have teeth, as several global companies have found to their cost when facing the collective might of the EU data protection taskforce. But it’s more than a legal challenge – it is also an operational challenge. Historically, point-of-sale devices and large, often weak, databases make travel, transport and hospitality firms – such as tour operators, airlines, hotels and agents – easy prey for cyber criminals. With the new onus on data protection and privacy, companies will need to ensure systems are impervious to attack.
Companies should get hands-on with their data, mapping their customer and employee data across all systems and defining processes and controls to not only mitigate fines, consumer wrath and brand damage but also improve quality and reduce redundancy of personal data.
Larger companies must appoint a Data Protection Officer to oversee compliance with the new GDPR rules and ensure these processes and controls are fit for purpose. It is not just within their organisations either, travel, transport and hospitality companies routinely share customer information with third-party tools, apps, and businesses for payment and itinerary purposes. The Data Protection Officer is responsible for ensuring the privacy and security of personal data extends to these environments as well. This will typically require a review of existing contractual agreements and must not be neglected if these organisations wish to ensure compliance.
Away from systems, GDPR has cultural implications too. Marketing chiefs need to enact the data subject access rights, such as accessibility, rectification, data portability or the right to be forgotten.
And they must adapt for an era where auto opt-ins and implied consent will no longer be an acceptable practice.
From May 2018, consent needs to be explicit and verifiable – there will be no more opt-in by default, omission or attrition. Under GDPR rules, customers must know how firms use their data – and they must explicitly agree to it.
How can travel, transport and hospitality sectors use technology to get ready?
While GDPR is the biggest disruption facing the industry in recent years, like any disruptor, it can be viewed as an opportunity rather than a threat.
Organisations should look at GDPR as an opportunity to use the latest cloud-based data integration and data fabric platforms to create a full, 360-degree view of their customers. By analysing to validate, clean, enrich, and remove redundancy from customer data pipelines, organisations can create a trusted source of customer information that can be accessed and managed in real time, as part of the customer journey. Organisations should look to leverage big data-ready platforms that allow them to capture, reconcile, document, protect and publish any personal information in an automated way, whether in the cloud or on-premise. By doing so, they can ensure that they always have an up to date map of GDPR related data across their IT landscape. Furthermore, it will foster accountability and stewardship from the Data Protection Officer down to operations, and will allow the protection or anonymisation of data when needed. Importantly, it can also manage data movements and data subject access requests helping organisations to comply with data portability or right to be forgotten requirements.
It is a vital move if firms are to validate the accuracy and privacy of customer data, and fulfil their obligation to provide customers with access to their data.
Translating GDPR readiness into value
When it comes to customer desires, the travel, transport and hospitality sector has an advantage over other industries. More than finance or FMCG, people really do want holiday offers. Travel is like getting a haircut – most people do it at least once a year, and they want to make it personal. Make it an enjoyable and value-added experience, and customers will keep coming back. Think of the Uber experience where you don’t have to search, book, tell the driver where you are, or pay in several different stages anymore. It’s now just one click.
A study by American Express found that 83% of millennials said they would happily let travel, transport and hospitality brands track their digital patterns if it resulted in a more relevant, personalised holiday experience. In fact, 85% of all respondents – of all age groups – said that customised itineraries and messaging were much more desirable than general, mass-market offerings.
In short, there are customers out there who want to opt-in. GDPR compliance through the implementation of data fabric and management system that creates a controlled 360-degree view of the customer – with full consent – is the means by which travel, transport and hospitality firms will maintain customer satisfaction and profitability. Firms can stockpile that data for more effective segmentation; to serve adverts – and curate engaging content and adverts – that really fit the customer’s vision. Remember, the quality of the customer journey and the customer experience will be directly linked to quantity and quality of the customer data, so it’s time to act.
By Jean-Michel Franco, Director of Data Governance Products, Talend
GDPR Summit Series is a global series of GDPR events which will help businesses to prepare to meet the requirements of the GDPR ahead of May 2018 and beyond.
Further information and conference details are available at http://www.gdprsummit.london/