Data is highly addictive.
Marketers are mesmerised by its potential and with no obvious limit to the number of data points you can collect on target customers for the purposes of advertising or sales conversion, it’s easy to see why.
Data has always been useful, but in an analogue world it was expensive to gather. In a digital world, it is infinitely easier to collect, combine and then mine with AI.
Google, Facebook and other social companies have become a dominant oligopoly by collecting data-by-stealth and thereby controlling global advertising and more with their data-based business model.
The advent of GDPR has brought this oligopoly under a spotlight, but other organisations who have shared BigTech’s addiction to customer data are finding it a tough habit to control.
This is particularly true for brands that have relied on collecting customer data to build profiles to personalise customer experiences, such as those in retail or the travel sector. Recent high profile fines however are a stark reminder that addictions come with risks attached.
Google itself was the first to come under fire when they were fined EUROS 50 million by France’s data protection supervisory authority – CNIL – for lack of transparency, inadequate information, and lack of valid consent regarding personalisation of ads.
In the UK the ICO recently slapped British Airways with a proposed fine of £183m for a breach of customer data, and the very next day, a second culprit was exposed. The ICO announced that it intended to impose a £99 million fine on hotel chain Marriott for failing to protect personal data contained in approximately 339 million guest records.
These serious breaches serve as wake-up calls for all companies, big and small, and particularly those travel brands who need to seriously re-visit their fundamentally flawed websites and CRM systems.
Both British Airways’ breach, that exposed some 500,000 customers, and Marriott International’s hack of their Starwood database, are doubtless just the tip of the iceberg. The fine’s themselves are hitting the headlines yet serious data breaches in the travel sector have been a regular occurrence for years.
Uber suffered a data breach in 2016 when over 75 million users and 600,000 drivers around the world were affected. Still in 2016, hackers stole data from over 1200 Intercontinental Hotels in the Americas. Hyatt Hotels discovered malware in their payment systems in 2015 the same year that Hilton urged all its customers to check their credit card statements after confirming the theft of cardholder payment details.
Personalisation data
Brands across all industries rely increasingly on personalisation and in the case of travel brands personalised customer service depends on CRM systems, rather than a hotel general manager’s personal knowledge of a valued client’s requirements. It doesn’t take too much imagination to picture some clients not wanting this very detailed ‘white glove’ information shared in the public domain.
Data breaches are not only potentially embarrassing they can seriously devalue a travel brand and damage the trust they have spent years building up with their guests.
If this can happen to some of the biggest players in the business whose cyber and data security budget other companies can only dream of, how exposed are smaller brands?
Perhaps privacy has just become a potentially highly valuable competitive advantage? Certainly, the likes of Apple and IBM appear to be positioning their brands around this proposition to contrast with their looser-moraled competitors.
Outdated practices
Of course marketing automation and CRM have made marketing much more effective, but the cost overhead of governance, compliance and security has been underestimated.
There is now an urgent need for brands to review their practices to ensure systems comply fully with existing regulations and anticipate future governance, as well as define a customer data strategy identifying what is and isn’t collected and then how it is used and shared to improve the customer experience.
Certainly, from our perspective there are only a handful of travel brands who place cyber security and GDPR compliance sufficiently high on their list of priorities. Few implement customer identity management platforms, as we did for Carnival Corporation recently, where we used the Gigya application to automate secure and compliant profile management, preferences, opt-ins and consent settings.
GDPR may be a step in the right direction to ensure customer data is only held with full consent, but I can’t say I have noticed a dramatic drop in spam emails since last May, certainly not everybody is complying.
Using security and privacy to competitive advantage
Privacy, security and transparency could become a valued differentiator with a proposition aligned with best practice.
There is no doubt that personal data can improve the quality of service, but hospitality guests are rightly going to be even more wary about sharing their information than ever before. Demonstrating that there are secure data governance strategies in place is going to become table stakes in future.
This will mean going way beyond promising customers that their data will not be shared with any third parties or knowing that they have the right to delete their data at any time. The furore over facial recognition data collection shows that we are on the verge of consumer revolt over BigTech and government knowing too much about us without our consent. And with regulators now having real teeth, and imposing really significant fines, the true cost of data is emerging.
Securing systems and compliance with GDPR are simply the first two steps, but both need to be part of a full review of how every brand uses customer data for marketing and enhancing customer service.
It’s in every organisation’s self-interest to provide secure, compliant and trusted customer data management, because if they get it wrong, it is not just the fines that will be punitive, the damage to brands could be irreversible.
About the Author

Peter Matthews is Nucleus‘ founder and CEO. For over thirty years he has led the company, advising clients on innovation, branding, digital and IP strategy and also leading and managing Nucleus’ start-up ventures. Peter is a ‘big ideas’ thinker, who has been able to combine business acumen with creativity consistently through his career.
Featured image: ©peshkov