As the EU enacts stringent data protection rules, Caribbean businesses must re-examine how they communicate with customers
The European Union’s sweeping new privacy law is changing the way Caribbean companies communicate with their overseas customers. Caribbean businesses now need a greater level of consent to use an EU customer’s information and must be more transparent about how they use that data. The controversial new General Data Protection Regulation (GDPR) is set to have significant and far-reaching repercussions for the region’s key industries of tourism and banking.
WHAT IS THE GDPR?
The 88-page EU GDPR is a dense and far-reaching regulation that came into force in May and aims to strengthen data protection and privacy. Under the new law, companies are required to re-examine how they use and store the information of EU citizens, ensuring that this data is used reasonably and responsibly, even when it’s shared with third parties. Speaking at a recent seminar hosted by the Caribbean Hotel and Tourism Association, Brian Kent, CEO of Flip.to, said: “[The regulators] are not trying to restrict companies from using data but they want to ensure it is being used with the right intentions. Companies have to get very specific consent.”
Businesses need a comprehensive plan to follow the law, which should include a compliance strategy and an action plan for any data breaches. They need to look at their opt-out policies, purchased data and the privacy notices attached to contact lists. Personal information has a wide definition under the GDPR and includes passport details, telephone numbers, travel patterns, health complaints, photographs and financial records.
The legislation represents a new phase in data protection. As digital communications have increased and evolved all over the globe, there’s been a corresponding push for more effective safeguards to protect our information online. Even huge social media giants such as Facebook are now being forced to rethink their privacy policies, or risk a resulting backlash.
Every Caribbean business that interacts with EU citizens falls under the legislation’s purview. This will obviously affect the region’s tourism industry the most, impacting hotels, travel agents, dive companies, transportation firms, restaurants, resorts, spas, and any other business that deals with EU customers. “It affects everyone in travel,” said Kent. “Not just those folks based in the EU. That is a common misconception.”
Another sector that will feel the effects of GDPR is banking. The Caribbean has long catered to wealthy European investors, eager to take advantage of the region’s preferential tax regimes. Financial services providers with an international client base will almost certainly come up against the law’s strict provisions. The Caribbean Association of Banks has been urging all its member institutions that deal with EU clients to be pro-active in ensuring compliance.
WHY DOES IT MATTER?
The GDPR has teeth, and businesses ignore it at their peril. Penalties for breaching the regulation range from a EUR10 million fine (or 2 per cent of the company’s revenue, whichever is higher) at the lower end to a EUR20 million fine (or 4 per cent of revenue) for more serious infractions.
The law came into force at the end of May but many still consider it to be in a grace period. Given the lack of precedent for a law of this scale, these early days are a learning environment for all stakeholders, according to Kent. “No-one really knows exactly how it is going to be implemented. Best practices are still being figured out. It is something that is very far-reaching and very unique from a lot of the other regulations.”
Caribbean businesses who are still not in compliance aren’t alone. A recent GDPR Benchmarking survey from Deloitte found that only 15 per cent of organisations expected to be compliant by the time the law was passed in May, with most expecting to be on the defensive while the legislation finds its feet. In addition, Deloitte highlighted the most pressing GDPR-related concerns among the business community. These included customers’ right to erasure, the issue of consent and data portability.
While the financial penalties seem frightening, they are worst case scenarios. If a Caribbean company is in breach of the law it will first be dealt with by local regulators, acting on behalf of the EU. These domestic bodies have the power toissue reprimands and order certain actions before penalties are imposed.
If they break the law, companies face losing their most valuable asset—their marketing database. Most firms spend years, possibly decades, building up customer information and contact details. This is a prime resource for those in the banking and tourist trades, allowing them to generate repeat business and follow new leads. If just one customer in the database is an EU citizen, and the company is found to be handling their information irresponsibly, the entire database is lost. Businesses need to get up to date as quickly as possible to avoid this fate. “It only takes one drop of poison to ruin the entire well,” said Kent. “The head in the sand approach, waiting to see what happens, is not something you should roll the dice with.”
OPPORTUNITY, NOT OBSTACLE
As Caribbean businesses scramble to get their data in order, Kent advises them to look at the new regulations as an opportunity rather than an obstacle. “You need to shift your thinking long-term. Think about getting into better and more personal conversations that serve the needs of your customers. You are building a nurturing relationship rather than falling back to the idea of getting a whole bunch of emails and blasting those folks.”
With the GDPR now law, marketing departments across the region are being forced to rethink their customer strategy and bring a more personal touch to their business. This shift will have positive repercussions for the entire industry going forward as customers feel more appreciated, respected and involved. It also allows businesses to get a better handle on what their customers need, giving them the opportunity to identify trends that are set to shape the market and develop more tailored and effective products. While the road to compliance has been challenging for some, reaching a new standard of data protection and privacy encourages everyone to raise their game.