Transparency rules

Do you do business with residents of the European Union? Does anyone from the EU come to your restaurant, follow you on social media or visit your website?

If the answer is yes, the recent sweeping data collection and management regulations from Europe apply to your business too. You see, in the digital world, there are no borders.

The European Union officially implemented GDPR, which stands for General Data Protection Regulations, on May 25, 2018. The European Union is made up of 28 countries and so the new regulations are intended to harmonize standards across all EU members. If you get email from businesses based in the EU, you likely got messages asking you to give express permission once again to receive correspondence. That’s to comply with the GDPR.

Canadians might assume this doesn’t apply to us but we’d be wrong to make that case. The GDPR apply to anyone doing business with someone in the EU or holding data belonging to someone in the EU. If a person visits a Canadian relative from the EU and takes them to dinner at your restaurant, everything from their phone number for the reservation to their credit card information taken to pay the bill is considered data that falls under the protection of GDPR standards.  

The customer doesn’t even have to leave the EU to give you their data. If they visit your website and you have web analytics that capture http addresses or they sign up for your enewsletter and leave you their email address, you’re on the hook to follow GDPR.  

The fines for not following GDPR are hefty: the maximum penalty has been set at $30 million but the penalty will generally be set at two to four per cent of your international revenue. A business that makes $100,000 per year could potentially pay $4,000 in penalties using that calculation. It’s still a big “ouch” for an industry such as hospitality where profit margins are so thin.

The care and feeding of customer data also has brand implications. Research by PricewaterhouseCoopers suggests only 25 per cent of respondents agree that most companies handle their sensitive personal data responsibly. When asked if they think the companies will use the data they collect to improve customers’ lives…only 15 per cent say yes. An ineffective or unclear data-handling policy can mean you will scare off customers even before they agree to do business with you. The same PricewaterhouseCoopers study says 88 per cent of consumers agree that how much data they’re willing to give a company is based on how much they trust that company.

Does all of this sound like you need a team of lawyers, IT specialists and RCMP officers to protect your business? Have no fear, there are some very basic and inexpensive things you can do. The spirit of GDPR intends to give consumers transparency around what information is being collected and for what purpose. The regulations mean to also give people assurance that their information is being protected and to give them the ability to deny or withdraw permission to have their information collected and used. It’s really a matter of good digital hygiene and communication.

DOCUMENT YOUR CUSTOMER DATA POINTS
It may surprise you to discover just how many pieces of data you are collecting from customers. Credit card numbers, phone numbers, addresses, email addresses, purchase history, web-browsing activities, food allergies and birthdates are all examples of personal data. Document for each piece of data why you have it, where it will be stored, who will have access to it, how it will be protected and when you will delete it. Under the GDPR regulations, a European citizen can request to see all activity connected to their data and assurance of its protection. If you can’t respond to this request, it could be an issue.

DATA HANDLING . . . WITH CARE
Decide who needs to have access to certain data and for what purpose. If you have a customer relationship management system for tracking purchases, birthdays, food allergies, your host, hostess, manager, servers and perhaps marketing department will need to see it to do their jobs. If the accounts payable person doesn’t need this information to do their job, make sure they don’t have access. If you have data stored on the Cloud or in apps, you’ll need to consider that part of the equation also. Make sure it’s safe from being accessed by hackers and have a policy for deleting the information after a period of non-use. If you have the credit card of a customer and they’ve not ordered from you in a year, perhaps it’s time to just delete the information?

MAKE IT EASY FOR THEM TO SAY NO
Send electronic marketing messages only to those customers who’ve given express permission for you to do so. You want a list of people who are keen to get your communication anyway. Your open rates and conversion rates will be higher when marketing to those truly interested. Always have an “unsubscribe” button clearly indicated on your communications so people can opt out easily.

Canada’s CASL (Canadian Anti Spam Legislation) has been in place since 2014 but it differs from GDPR in that its focus is mainly on communications and who we can send marketing messages to. GDPR focuses on the collection of all kinds of data points, including our email addresses, and how we use and protect that information. For a comparison of the two sets of rules, visit openprisetech.com/gdpr-and-casl-theyre-not-the-same-thing-2/.

LAY IT ALL OUT
Write a policy and display it on your website and in your restaurant. If you have a traffic counter that captures other things like gender and age (traffic counters these days are capable of this) you need to let people know that you are doing this and why. The GDPR have rules around age – you can’t market to anyone under age 16 without parental consent so state that in your policy to avoid concern. Detail everything and be transparent. If you wind up in the crosshairs because a customer questions how you handle their data, you may win points with investigators if you have tried to be clear up front.  

Technology lets us do business with a foreign company as easily as one around the corner and therefore, rules of engagement become entangled. Manage your data as you would the Queen’s jewels. It’s a gift your customers give you as they connect with your business.

For more information on the General Data Protection Regulations, visit eugdpr.org. •

Michelle Brisebois is a marketing consultant specializing in e-commerce and digital content strategy and retail/in-store activation. Michelle has worked in the food, pharmaceutical, financial services and wine industries. She can be reached at michelle@textrixconsulting.com.