Big Data and Privacy

Order a reprint of this story
Close (X)

ORDER A REPRINT

To reprint an article or any part of an article from Hospitality Upgrade please email geneva@hospitalityupgrade.com. Fee is $250 per reprint. One-time reprint. Fee may be waived under certain circumstances.

SEND EMAIL

March 28, 2014
Big Data
Scott Warner

Nearly everywhere the benefits of Big Data in the travel and hospitality industry are being promoted.  Big Data offers tremendous promise to manage costs, guide investment strategies, and personalize user experiences. And, Little Data maybe even more so.  However, not everyone is singing the praises of Big Data.

Sidebar to the Why Big Data Matters to You, Feature article, Spring 2014 issue
To view this article in our digital edition, please click here.
 
 
Pretty much everywhere commentators, operators and consultants are promoting the benefits of Big Data in the travel and hospitality industry.  Big Data offers tremendous promise to manage costs, guide investment strategies, and personalize user experiences. And, Little Data maybe even more so. 

However, not everyone is singing the praises of Big Data. There is an equally loud chorus among privacy advocates, legislators and others that Big Data threatens user privacy, and because of the quantity of data collected, exposes personal information to increased risk. In light of the Target data breach, NSA disclosures, and recent uses of customer data that verge on creepy, this chorus is growing louder.   

Certainly, customers benefit from personalization and efficiencies that Big Data can bring, but customers are voicing concerns about how their personal information is being used, and reports indicate that a substantial majority do not believe companies are honest about how they exploit customer data. 

The problem is that there’s not a lot of guidance on how to serve both constituencies well. Worse, the privacy landscape is in flux. In the space of a few months, the California Attorney General filed a complaint against the Kaiser Foundation Health Plan for failing to timely report a data breach, Congress is considering legislation that would impose criminal penalties for failure to disclose a data breach, the FTC has reached settlements with 14 companies for falsely claiming to comply with the US-EU Safe Harbor, new rules on data security in government contracting have been adopted, new EU rules on data collection are coming on line, and the judge in the Google wiretap case has ruled that companies may not rely on generalized privacy statements to establish user consent to their data practices. How can you get the benefits of Big Data and at the same time comply with the rules and protect customer privacy? 

What and Why:  Evaluate your needs and make informed decisions about what data to collect and why. While the costs of collecting data have decreased, processing that data is still expensive. And once collected, you need to protect it. This is not easy or cheap and holding data increases the risk of disclosure. Before proceeding you need to have a plan in place, and don’t collect what you don’t need.      

Rules of the Road: The rules applicable to collection and use of data vary from jurisdiction to jurisdiction and from type of use and the nature of the data collected. Make sure someone in your organization has responsibility for staying up to date and reviewing your practices, policies and procedures for compliance. And, if you are doing business (or plan to) anywhere outside the U.S., follow the OECD Privacy Guidelines and the EU Data Protection Directive.  
Notice and Consent:  Provide explicit notice about what data you are collecting, how you will use it and ask for permission in advance. In the last year, Disney Parks has begun using RFID wristbands, MagicBands, in its parks and resorts. These wristbands interact with sensors throughout the parks and collect data about user activity, which is then used by Disney to interact with the visitor, improve services and other purposes as described in the Disney FAQ and privacy policy. While some argue that Disney’s notice does not go far enough (particularly with respect to choice), it represents a clear step toward the explicit notice required by Judge Koh in the Google case, as well as the consent requirements for cookies under the EU Directive. 

One Size Fits All: Maybe for sweatshirts, but not for data policies.  Don’t cut and paste from form or competitor policies. If there is anything to be learned from Judge Koh’s order in Google, it is that to gain protection through user consent, your policy must describe what you do.   
  
De-identify and Encrypt: Where practical (and certainly where promised), de-identify and/or encrypt data collected from customers. This may not only provide a safe harbor for claims in the event of a data breach (and provide grounds to argue no damage), it also provides customers with an added level of security.    

Data Storage and Security Practices: As with rules on collection, these vary from jurisdiction to jurisdiction. Get familiar with these rules, establish and comply with internal policies that satisfy these requirements. This includes a data retention policy that conforms to your published privacy policy.     
 
Establish Internal and External Controls: You are responsible for what happens to the data you collect, so you need to adopt internal and external controls for how the data is collected, handled and stored, provide training to employees and contractors on compliance, monitor activity to confirm that the data is not being accessed or used improperly, and take prompt remedial action if you learn of a violation or breach. 

Do What You Say: Too often, policies are written and forgotten. There is a need for frequent training and monitoring. But there is another element.  If your policy says you won’t share the data you collect or that you will employ industry best practices to protect it, or that you will only use it for a specific purpose, you need to do it. In the latest round of the Sony PSN litigation, misrepresentations regarding Sony’s data security practices in its privacy polices formed a basis for permitting certain plaintiffs to proceed with consumer protection claims against the company.  
    
Big Data is here to stay, and if recent developments are any indicator, restrictions on collection and use and the costs associated with unauthorized use – through breach or otherwise – will only increase. ?If you are going to use Big Data (or Little), do what Mickey did: plan ahead and get consent.
 
 
©2014 Hospitality Upgrade
This work may not be reprinted, redistributed or repurposed without written consent.
For permission requests, call 678.802.5302 or email
info@hospitalityupgrade.com.


 



want to read more articles like this?

want to read more articles like this?

Sign up to receive our twice-a-month Watercooler and Siegel Sez Newsletters and never miss another article or news story.