Advice from the Experts – Hospitality and the General Data Protection Regulation (GDPR)

By Andrew White, CEO, Preoday

The restaurant and catering market has been slow to adapt and realise the full potential of its customer data. Retail businesses have been collecting and using data to optimise marketing and operations for years, hospitality companies have been giving away their most profitable data assets to third parties such as Just Eat and Trip Advisor. Now, with new data regulation rules on the horizon, venues have a short window of time within which to take back their control.

Data protection regulation: the true impact The General Data Protection Regulation (GDPR) becomes active on 25th May 2018 and will be the most significant update to privacy regulation in two decades. You’d be forgiven for thinking that it’s only relevant to big technology, health or finance companies. In actuality, by that date, any company targeting consumers in the European Union and holding or transporting data relating to them, must be in compliance.

It is vital businesses understand the importance of this and that they make the required changes, for example appointing a specific data protection officer who will be in charge of making sure the business conforms with regulation. Although hospitality companies are directly affected, many remain unaware of the full impact of the GDPR juggernaut; non-compliance carries a penalty fine of up to €20m or 4% of the offending business’ global annual turnover. In truth, companies can’t afford to wait until next May to start making adaptations, if GDPR is not acted upon now, it will be an even bigger problem soon.

Make sure you own your data Under the GDPR, it will become illegal for restaurant owners to pass on or store online customers’ personal information without agreeing a new and formal contract with its ‘data controller’. If the data controller is a third party, like Just Eat, it has the right to define limits on how that data is used. Consequently, if a business wants to market to customers, it will have to inform Just Eat or Deliveroo or ‘their’ customers (which used to be the restaurant’s) about what it wants to do with the data (which used to belong to it) and ask its permission. It is unlikely they’ll be given it. In fact, the aggregators will be free to object to ‘their data’ being used at all. The only way around this is to move off the aggregator platform and create a direct customer relationship by launching an owned ordering app or online portal. This will ensure that, come May, the restaurant will be the data controller and will retain data and customer rights. Given the importance of data in the modern hospitality industry – for everything from loyalty, through marketing to stock control and competitor differentiation, data ownership is utterly essential. Long term, it means survival.

Increasingly, businesses are collecting data through online ordering portals and mobile applications. Ownership of the app, venue or a third party, makes a difference to long-term customer relationships:
1. If orders are taken directly through an owned app, website or platform the data, customers and control belong to the restaurants.
2. If orders come through an aggregator like Just Eat’s and/or Deliveroo’s app or website, the data, the customers and control belong to the aggregator.

For more information visit

>> Click here to read the rest of the September 2017 Stir it up Magazine <<