Wake-up call: customer data exploitation
Operators can collect data through a number of ways, but there is an increase in the number of customers complaining to the regulator about how that data is being used. Legal expert Alison Deighton explains
The Problem
As a hotel or restaurant operator you will collect customer data through your website booking system, telephone reservation system and prize promotions, and you probably use this information to send targeted offers and promotions to individuals.
However, customers are increasingly aware of their rights under data protection laws and are more likely to complain to the regulator, the Information Commissioner's Office (ICO), if they are unhappy with the way their data is being used. So, what are the legal requirements around data collection and how can you ensure that you are using customer data appropriately?
The Law
There are two key pieces of legislation with which you must comply when collecting data about individuals: the Data Protection Act 1998 (DPA) and the Privacy and Electronic Communications Regulations 2003 (PEC Regulations).
The DPA sets out eight key principles. The most important of these when collecting data is the first principle, which requires you to process personal data "fairly and lawfully". This means that you must be transparent with customers to ensure that they understand how you will use their data. This will include providing customers with brief information, known as "privacy notices", about the purposes for which you collect data and any disclosures of customer data, for example, if you pass customer contact details to third parties for marketing purposes.
If you are using data for marketing purposes, individuals have a legal right to request you to stop doing so. If you receive such a request you must comply with it within a reasonable time frame.
Regulations also apply if you use cookies to collect data through websites. The law in this area is about to change. At present you must inform people as to how cookies are used to collect data and allow individuals to opt-out by changing their browser settings. However, from later this month it will be necessary to obtain prior consent for use of cookies.
Expert Advice
Compliance with privacy requirements not only protects your business from potential legal claims but can also assist in building a strong relationship of trust with your customers. Before you commence any data collection you should carefully consider how you would like to exploit that data and provide customers with clear and transparent information about those uses.
Privacy notices should be provided to customers at the point of data collection, therefore if you collect data through a variety of different means, you will need to ensure that you have different procedures in place to ensure that privacy notices are provided in an appropriate way for each collection channel, for example, through use of telephone scripts, online prompts or within hard copy materials.
Check List
â- Think through the purposes for which you are going to use data and ensure that appropriate privacy notices are provided to customers.
â- Obtain prior consent before you send marketing by eâ€'mail, SMS or fax.
â- Ensure your systems are set up so that you can comply with requests to cease marketing.
â- Take steps to ensure that personal data is kept securely, particularly sensitive or high-risk data such as health data or credit card details.
Beware!
Failure to comply can result in:
â- Bad publicity for your business.
â- Fines of up to £500,000.
â- The ICO requiring your business to take specified steps to ensure compliance.
â- Claims for compensation from individuals.
Contact
Alison Deighton is an associate and head of data protection and privacy at national law firm TLTalison.deighton@TLTsolicitors.com
