An ever-competitive market, the hospitality sector is continuing to see steady growth with new competitors continually entering the market. With GDPR coming in to force in May 2018, is it a compliance nightmare or is it the next competitive advantage for savvy businesses?
Restaurants and hospitality: an ever-changing market
2018 is set to see UK diners spend an estimated £54bn on eating out. With the sector growing steadily at approx. 1% per year over the last two years, we’re seeing more small-to-medium size chains appearing, fighting for their share of the gastro-boom.
What’s more, the new chains are teaching the old-guard a lesson in consumer satisfaction by being social media-savvy and coming up with revolutionary ways of getting their product to the consumer.
The continued expansion of on-demand food delivery services such as Uber Eats and Deliveroo are allowing the smaller chains such as Pieminster and The Alchemist to offer service levels traditionally only available to the larger groups.
At the same time, consumers are choosing to pay more for a premium product and service, with companies they can trust. The burger boom is testament to this, as premium burger chains such as Byron and Five Guys saw steady year on year growth again in 2016, to such an extent that even the traditional burger chains have added premium items to their menu in an attempt to keep up.
This boom may have been short lived though, as Handmade Burger Company and Byron both struggled to keep themselves afloat as 2017 drew to a close. The latter having conceded to entering administration and agreeing to close loss-making restaurants to survive.
GDPR for the restaurant industry
With customers choosing their eatery based on service level and trust, the way GDPR is embraced could make or break small and large establishments alike.
For smaller businesses and street food operators, any personal data they process is often basic and stored offline. For example, taking a name, phone number and email address when booking a table in a restaurant. This data could be hand written into a bookings diary, and left in an easy-to-access area for ease of use. Restauranteurs should consider whether such a system will still be compliant under GDPR.
Larger companies often store more data, but in an easier to manage system. Take a restaurant loyalty scheme for example. Personal data such as name, address, email address, phone number etc. is taken and stored for an undetermined amount of time.
The data is often used for marketing campaigns, offering new deals and promotions to the customer base. Could this be considered legitimate business interest under GDPR? A more prudent question would be whether or not any company should want to risk getting into that debate in the first place.
Customers are looking for transparency and honesty, so whether a company wins a legitimate business interest debate is irrelevant. They could win the debate, but alienate their customer base in the process.
Is consent the next competitive advantage for hospitality?
With loyalty schemes and online booking systems being so prominent, it is much easier and more customer centric to consider using consent as the legal basis for data processing.
If a consumer books a hotel room or table, trust can be established instantly if the company lays out an easy to understand, transparent, consent based explanation of how the personal data is to be used and processed. Furthermore, if companies offer an easy to understand process for removal of consent and empower the consumer, then they are showing how much they value the consumer’s rights.
The industry needs to seriously consider its approach to GDPR, as the risk/rewards with getting it right or wrong are likely to be huge. Legitimate business interest may apply in some cases, but using a person’s data for future marketing after it was given for a loyalty scheme or booking form is going to be a difficult and costly case to argue.
What do we know about consent under GDPR?
Consent is one of the six lawful bases to process data, as listed in Article 6 of the GDPR. It is seen by some as the gateway to GDPR compliance, and by others as completely unnecessary. There is no one-size-fits-all solution.
There are many companies peddling GDPR Solutions, but each company will have a different requirement. For that reason, which lawful basis is right or wrong is not a blanket answer. Instead the following should be used to help you interpret how the new guidance should be adopted within the hospitality sector.
Working party guidance on consent
Working Party guidance 259 was published in November 2017, and covers consent as a legal basis for processing personal data under the GDPR.
Consent can only be an appropriate lawful basis if a data subject is offered control and is offered a genuine choice
WP 259 Guidelines on Consent under Regulation 2016/679
This statement goes hand in hand with standard practice within the modern hospitality industry, where consumers are given more control and choice over products than most other industries (think of dish changes in restaurants, or special requests in hotels).
The key to getting GDPR consent right is the same as giving great customer service in a restaurant – give the consumer all of the choices, then let them decide which bits they do and don’t want.
How to gather consent in hospitality
Let’s now consider how consent is gained. The new guidance says that consent must not be bundled together or be tied in to acceptance of terms and conditions so as to ensure the consent is truly freely given. This is a key part of the consent process, ensuring the consumer is always offered a genuine choice.
With the burden of consent on the company (data controller), not the consumer (data subject) it is the company’s responsibility to ensure they have a solid consent for each data subject AND each type of processing activity. The guidance expands upon this concept further by stating that consent must be granular.
Granularity means that each consent must be for one data processing activity. For example, a hotel takes passport and contact details from a customer for two reasons:
- To analyse the type of people using the hotel
- To enable future marketing.
If consent is used as the legal basis for processing data in this scenario, then there should be two separate, unrelated consents. The consumer must be able to choose how their data is used, without detriment to the service they are purchasing.
Rules for withdrawing consent
Under the GDPR, a key requirement is the consumer’s right to withdraw any of their consents at any time. A consumer (data subject) must be able to withdraw a consent without detriment to the service or goods they purchase.
GDPR makes is crystal clear that the company must also ensure the consumer can withdraw consent as easily as they gave it. This means that if a customer consents to a restaurant processing their data while they book a restaurant table through a mobile app, they must be able to withdraw that consent in the same way, i.e. through a mobile app.
How should hospitality operators manage consent under GDPR?
Consent is the most customer focussed legal basis to process data, but also has a lot of potential pitfalls.
If you have chosen consent as the legal basis you intend to operate within, then start by answering the simple questions below. They do not negate the need to take advice from an expert, but they will set you on the right track to consent success, and more importantly, consumer happiness.
- Does your consent request give your consumers all the information they need to make an informed decision?
- Can you make the information any easier for them to understand?
- Is the wording of the consent request in simple, unambiguous language?
- Are you offering one consent request for each data processing activity?
- Are you storing data for specific, necessary reasons?
- Have you made it easy for the consumer to withdraw consents?