At Mews, we believe that privacy is a fundamental right. Here we explain why, and also reveal how we’re going beyond GDPR to simplify data controllership for hoteliers…
In a nutshell: what is GDPR?
GDPR is an acronym for General Data Protection Regulation. It is an EU regulation that came into effect on 25th May 2018, which itself was an enforcement of rules that had been created over a decade ago.
GDPR was created to bring as much uniformity into data protection as possible, aiming to give control back to all individuals over their personal data (“any information relating to an identified or identifiable natural person” – e.g. an individual’s name, identification number, location data, online identifiers…) and to simplify the regulatory environment for international business.
GDPR gives power back to consumers by forcing companies to become transparent in how they collect, store, and share their customers’ personal data information.
In the context of our industry, the regulation applies to all travel agencies, tour operators, hotels, motels, inns, clubs, bed-and-breakfasts, Airbnbs, automobile rental agencies, restaurants, aggregators and other travel and hospitality groups that operate in Europe, or to groups that operate outside of the EU and actively maintain information on, and market their services to, EU residents.
What do we think about it?
Our Founder, Richard Valtr, explains Mews’ approach as follows:
“We believe that privacy is a fundamental right, and as a business, Mews cares fiercely about the integrity of handling customer data and the protection of their rights. We think that GDPR is a step in the right direction, but unfortunately an incomplete solution.
We believe that customers will happily give service providers access to their data as long as they can see and control who that data is passed to, and to what end. For this reason, it is not enough for companies to simply delete data once asked to, or inform when there has been a leak.
The 2018 scandal over a breach that exposed the personal information of millions of Facebook users illustrates this well. The rules previously allowed companies such as Apple, Amazon, Microsoft and Netflix to have a worryingly high level of access to Facebook users’ information. Unsurprisingly, Facebook was put under pressure to redesign the settings menu and give users more control over their privacy by making data management easier.
Instead, they should proactively show the user how their data is being managed and which third parties have access.
In the spirit of protecting this data, we will let this cover all sensitive information, even that which is currently exempt from GDPR, such as credit card information.
We believe the GDPR law will eventually extend to cover these cases, and we are therefore building an infrastructure which allows hoteliers to fully future-proof their properties, and set themselves up as trusted parties – much like the discreet concierge in days past and updated for the modern age.”
What is Mews doing to comply with it?
We’re serious about protecting client data and improving user-rights, and committed to protecting the privacy of all visitors and users of our cloud-based property management software.
To the very best of our ability, we strive to keep your information protected from unauthorised access and from unlawful processing, accidental loss, destruction and damage. We have implemented strict procedures and security features to prevent any unwanted activity.
As soon as a guest’s profile is created in the Mews platform we send them an email to introduce ourselves as the data processor acting on behalf of their chosen hotel, and to give them both the access and information they need to be able to update and maintain their personal data themselves. Why? Because we firmly believe that guests should have full control over their own data.
This email comes directly from Mews, and because the guest profile sits above each hotel’s individual database, its content can’t be edited by anyone before it’s sent.
This also means that a guest who has already checked into and stayed at a Mews hotel will not need to fill in their personal details all over again if they check into a different Mews hotel. They can simply share them in the click of a button, and unshare them just as quickly.
Are you using the most intuitive PMS on the market?
Empowering guests in this way can also double up as an effective tool for savvy hoteliers wanting to offer a hyper personalised and frictionless stay experience. When executed properly, the GDPR legislation ultimately offers hoteliers the opportunity to establish more open communication streams with their guests. How?
How are we going beyond it?
This same logic that’s behind data security is already in place when it comes to payment security, where the PCI (payment card industry) framework acts to remove the threat of card leakage and enhance card security.
We have a state-of-the-art PCI vault to tokenize credit card data and move it away from the danger of theft via screens in the hotel. The way in which this is done allows the hotel to retain full ownership of the credit card data, should they ever decide to leave our platform.
The same level of sensitivity should be applied when designing the best way of dealing with personal data, and we have tried to use state-of-the-art technology and frameworks which would suit this.
From a theoretical point of view, we believe that Tim Berners-Lee’s Solid pod will eventually provide the best framework for data storage and control for individuals and entities. We’re keeping an open mind though, as these cryptographically-enhanced technologies are still very nascent technologies.
In the end, the Mews Navigator is designed to give travellers full control over their stay, and to make data controllership much easier and simpler, for both hotels and individual users.