Data protection and privacy: why earning guest trust and building security is crucial

January 30, 2019

The need for travel brands to guard guest data and build trust has never been more crucial. Last November, Marriott announced that the data of up to 500 million guests had been hacked since 2014. Then in October last year, Cathay Pacific Airways declared a data breach affecting 9.4 million passengers.

More broadly, consumers seem to be increasingly wary of how brands are tracking their online habits and preferences. A recent survey found that 71% U.S. consumers worry about how brands collect and use their personal data.

In this age of consumer uncertainty and increasing levels of cybercrime, what can hotels do to protect guest data and build trust?

1. Gaining trust requires empathy

In a post-GDPR world, hotels must conform to stringent privacy regulations. These new regulations might reassure some guests that their data is being collected, stored, and used responsibly. But is paying lip service to data policies enough to gain real trust?

Arguably, one of the best ways to earn trust is by demonstrating empathy. Hotels need to let guests know that they genuinely care about their privacy. Explain to your guests how their data is being collected and shared, and why you’re collecting it in the first place.

How will the information they share with you directly enhance their experience? Be sensitive to the fact that some guests won’t like the idea that their behaviors, habits, and purchases are being monitored, even if you’re completely open and honest about how and why this is being done.

Ultimately, guests should be in control of the data you collect about them and feel that (beyond adhering to industry regulations) you respect their right to keeping personal details private.

2. Staff training

The quality of your data security systems is only as good as the quality of your staff training. One of the most common ways of data leak occurs when employees distribute internal information, both intentionally and unintentionally. This can easily happen even in innocuous circumstances.

For instance, an employee that charges their phones via the USB port on a work computer provides a way for hackers to access valuable personal data. Transferring information to a colleague by exporting information to a USB stick also increases the risk of data spilling into the open.

Regular employee security training is crucial to ensure that everyone in your business understands how data leaks can happen through insecure channels and seemingly harmless distribution.

Hotel management should also have a robust system that designates which members of staff can access different levels of information. For example, some members of staff might only need access to basic guest data, while others might require access to more secure information, such as credit card details.

3. Identify weaknesses in your security

Because hotels store and share data in multiple places, cybercrime is inevitably more common. Central reservation systems, third-party partners, credit card companies, and point-of-sale (POS) systems all represent potential sources where data can be hacked.

The data security threat is also becoming harder to manage in the era of the connected hotel. As guests use their smartphones to access in-room services and connect to Internet of Things devices, hackers have access to a huge network of personal data.

With expanding digital infrastructures, hotels neglect data security at their peril. A comprehensive cybersecurity plan is crucial to minimize the risk of a data breach. This could involve creating your own dedicated in-house security team, or working with an external security assessor to identify potential weaknesses in your system.

Choosing the right vendor

The vendor that you work with should be PCI compliant and have taken steps to become GDPR compliant. Here are some basic steps that a vendor should take to ensure PCI compliance:

• All encrypted credit card information generated in the reservation system and booking engine should be purged and only be accessible to property authorized users. This includes credit card details contained in all emails, extranet reports, or connection XML messages.

• Every client and employee of a vendor should set up strong passwords in their Extranet (controlled private network) and all production environments and databases. All passwords should also be encrypted and changed at least once per 90 days.

• All vendor employees (including new hires) should undertake PCI Awareness Training.

• Firewall and antivirus software must be installed and running on the workstation of every vendor employee.

4. Build security through your call center

In addition to data leaks through internal staff, guest information can also be exposed via hotel call centers. Using DTMF ‘card payment by phone’ technology, hotels can enable customers to discreetly enter their credit card details into the phone keypad, instead of reading them aloud to a reservation agent.

This form of technology offers two main benefits. First, card details are never shared with call center agents or held in the contact center infrastructure, which reduces the number of people with access to sensitive data. In addition, guests will likely feel a greater level of trust towards your hotel, and consequently feel more confident to book, when they don’t have to read their card numbers out loud over the phone.

5. How to balance hyper-personalization with trust

A 2018 report from The Economist Intelligence Unit found that consumers want personalized content. But the majority of consumers said they feel uncomfortable about companies creating a “profile” on them to predict their behavior.

This privacy paradox presents a challenge. How can hotels offer personalized experiences while maintaining guest trust?

We suggest having a robust privacy policy on your hotel website. This should communicate precisely how you use and collect guest data, and feature an opt-out policy that lets guests know they can opt out of aspects of your website or app. The website of Stanford Court in San Francisco offers a great example of how a comprehensive privacy policy should look.

Finally, it’s important to be entirely transparent about how you collect and use data. Allow guests to opt-in (instead of out) into further communications, but make a clear statement about why opting-in is beneficial. Asking, “Can we contact you with exclusive offers and special rates?” is a way to remind your guests about what they stand to gain.

Building privacy

With Marriott’s high-profile data breach and a wider crisis of consumer trust, hotels need to work harder than ever to reassure guests. Investing in the right technologies to keep data secure is crucial. Hotels also need to balance delivering personalized experiences with respecting privacy — arguably one of the toughest tasks modern hoteliers face.

As artificial intelligence and new digital technologies allow hotels to capture unprecedented amounts of data, transparency becomes paramount. Letting guests know exactly how their data is accessed and used with detailed privacy policies and clear communication is fundamental to earning their loyalty.