An interesting email dropped into my inbox back at the start of March, and made we wonder if the headlines are affecting the way that businesses interact with customers.
The email in question came from Lastminute.com, that great bastion of the dotcom that if I am honest, I used once and had not been aware I was even on a mailing list for anymore. But I am glad I was, as in announcing its acquisition by the Bravofly Rumbo Group, the company made the emphasis of the email about personal data security. That’s right, not benefits or better deals and lower prices, but my data was secure.
It read: “Your personal data will continue to be processed in accordance with the lastminute.com privacy policy that you agreed to when signing up to lastminute.com newsletters or when making a booking. LMnext UK Ltd is committed to respect the confidentiality of your personal data and will process it fairly and lawfully and in accordance with applicable data protection law.”
Signed by “the team at lastminute.com and Bravofly Rumbo Group”, this was really quite astonishing to read – my personal data was the most important thing for them to announce that they did an email shot to all of their database, which I can assume runs into millions of users.
I guess I was expecting a “see more” with some bad news, but no, it was just a clear detail that my data was secure despite the new ownership. Is this completely out of the blue? I asked Eduardo Ustaran, partner at law firm Hogan Lovells International LLP, what he thought, and he said that the new owner of lastminute.com is obviously doing the right thing to make sure the data collected by lastminute.com can continue to be used going forward.
“This evidences the huge value that customer data has when corporate transactions of this kind take place,” he said. “Getting the privacy and data security aspects of the transaction right can make all the difference between success and failure.”
He said that in this particular case, it was crucial for the company to ensure that the trust of lastminute.com’s customers is retained, which explains the carefully worded email sent by the new owner. “We are bound to see more of this as businesses realise that ensuring the right level of data protection compliance has a positive effect on the bottom line,” Ustaran said.
Of course, after a year where companies were in the security headlines for all the wrong reasons, this was rather refreshing. David Howorth, VP EMEA at Alert Logic, said he was surprised to see this announced so publically, and this could be because either: undoubtedly Lastminute take data protection seriously and want to be completely transparent to their customers that their data has been moved; or it could be that they are making this public disclosure to pre-empt questions on their security posture in moving the data.
Lastminute.com handles holiday bookings so therefore handles payment card data, and Howorth said that as credit card data is used for payment, the data is required to be stored for a minimum of one year to comply with regulations such as PCI DSS.
He asked: “What have Lastminute.com done with all their historical and archived data? Have they transferred that too? What will they do with all their event and log management data and all their customer profiling big data? How are they protecting that data and access to that data? Have they digitally destroyed the data they no longer need? What data protection legal loop holes have now opened up should there have been a breach in the transition process etc.?”
In fact, Howorth said that whilist we can applaud the move to keep customers informed, he said that it has identified many questions they haven’t answered in their letter to their customers.
So maybe this is a step sideways into more questions about regulation, rather than a simple “all your data is safe with us”. Either way, perhaps this is a step in the right direction, that personal data security is valued and not just treated as secondary importance behind financial data.
This originally appeared at Foursys.co.uk