Cambridge Analytica’s unauthorised “scraping” of the data of 50 million Facebook users has reverberations extending far beyond the social media giant. With the UK Information Commission currently seeking a warrant to analyse the digital databases of the UK-based company, it’s clear that data privacy is now assuming an importance like never before. As an industry that inevitably deals with enormous quantities of customer data, the travel industry must monitor events with care.
Travel businesses, of course, will already be mindful of the forthcoming General Data Protection Regulation (GDPR) and will have been working hard to ensure compliance with its more stringent regime. The Cambridge Analytica scandal not only underlines the need for the GDPR but also highlights the opprobrium that threatens to fall on businesses and organisations that treat other people’s data in inappropriate ways.
There are several useful lessons to be drawn from what we already know of the Cambridge Analytica debacle. Although some of these are already covered by the GDPR and the UK Information Commissioner’s guidance, Cambridge Analytica provides the sort of real-life example most businesses pray never happens to them.
1. Know where your data is coming from. Ask yourself whether your data partners are abiding by your data protection rules. Inevitably, this requires up-front due diligence. In other words, for your own self-protection, don’t get into business relationships with organisations you haven’t done your homework on.
2. Understand that the effect of events such as Cambridge Analytica’s are that the general population (both private individuals and businesses) may become increasingly wary of personalised advertising. They may ask themselves how the advertiser obtained their data. This means asking users and customers for permission to use their data – and doing so via opt-ins, not opt-outs.
3. If something goes wrong, apologise to your users. Do not fudge the issue, attempt to explain it away or ignore it altogether.
4. Remember that getting your data protection policy wrong not only risks the swingeing new fines regulated by the GDPR but threatens your entire business. And, in the travel industry, where reputation is everything, that is a risk never worth taking.