16 February 2017
The General Data Protection Regulations (GDPR) are a major overhaul of EU data protection law.
The GDPR is coming into force from 25 May 2018 and will apply to hotels and the wider hospitality sector across the EU and beyond, (due to the extended territorial scope of the law). Brexit won’t save you.
The GDPR gives new rights to individuals and brings an enhanced compliance burden for organisations processing personal data. Failure to comply will be very expensive – with fines of up to 4% of annual global turnover or 20 million Euros, whichever is the greater.
The legislation brings in a large number of changes, meaning that the level of effort involved in preparing for GDPR compliance is pretty significant. Many organisations have already started down the path of scoping and implementing programmes to make sure they are compliant by May 2018. For others there is still time, although it is important to get GDPR projects underway in the very near future.
A time of opportunity, and challenge
There has arguably never been a time of such opportunity and challenge facing the hotel and hospitality sector. Changes in technology and a diverse and multi-layered landscape between the owners of hotels and hospitality businesses, as well as the operators and managers, has placed guest data and customer data centre-stage. Businesses are also presented with more opportunities for enhanced data gathering, providing deeper insights into guests / customers and driving more personalised services and experiences.
Yet as the hospitality sector embraces these opportunities, it must also confront the realities of new EU data protection law that has the potential for global reach. The General Data Protection Regulation (GDPR) was finally passed in 2016, after four years of negotiation. The GDPR is a major overhaul of EU data protection law which gives new rights to individuals and brings an enhanced compliance burden for organisations processing personal data.
The GDPR comes with a two year implementation period and when it enters into force from 25 May 2018 it will, from that point, apply to hotels and the wider hospitality sector alongside all other businesses across the EU and potentially beyond, (due to the extended territorial scope of the law). This new law has real bite, with vastly increased levels of fines for non-compliance (up to 4% of annual global turnover or 20 million Euros, whichever is the greater).
The legislation brings in a large number of changes, meaning that the level of effort involved in preparing for GDPR compliance is significant. Many organisations are already well down the path of scoping and implementing programmes to make sure they are compliant by the time the law comes into force. For others there is still time, although it is increasingly important to get GDPR projects underway in the very near future.
Making a step change towards compliance.
Implementing a GDPR compliance project can appear a daunting prospect, akin to nailing jelly to a wall. In order to avoid being entirely overwhelmed by the exercise both for client, guest / customer, prospect, employee or supplier data it is worth first breaking the different elements into manageable steps.
Step 1: Project management and budgets
Management commitment is key to the success of a GDPR compliance project. An important part of preparing the way, will be briefing senior decision makers on the importance of the law and on the consequences that a failure to comply may have for the business in terms of sanctions, penalties and damage to brand and reputation.
For regionally diversified hospitality businesses, it is critical that there is collaboration between each of the different EU group entities and those entities operating outside the Union that offer goods or services, for example to prospective guests in the EU or that monitor their behaviour, (which may apply to data generated through the operation of an international loyalty scheme). Project responsibilities should be assigned to key personnel at each of the involved entities as well as designating one lead project officer who could also be an external advisor.
Management buy-in is also important from the perspective of approval and allocation of budget for the different resources needed. This should, in particular, cover internal personnel, legal support and IT costs (for example for IT audits or changes to supporting systems or software).
Step 2: Gap analysis
In order to understand what actions must be taken, it is important to first do an analysis of the current data protection compliance baseline and how this compares against the obligations flowing down from the GDPR. It may also mean identifying current compliance failings and ensuring these are mopped-up as part of the wider points for action from the project.
Step 3: Risk analysis
The gap analysis is likely to identify a large number of issues and actions, not all of which may reasonably be capable of being met at the same time, ahead of May 2018. With this in mind, hotels and hospitality businesses should, as a priority, establish which of its data processing activities pose the highest risk for the business and for data subjects and which risks are most likely to engage the high fines under the GDPR and allocate resources on that basis. The riskier the processing activities, then the greater the efforts that should be taken.
Step 4: Implementation of a data protection framework
4.1 Understanding key requirements
The range of new requirements under the GDPR mean it is important that these are specifically mapped and specific controls and measures implemented to address these new obligations. These include:
Enhanced data subject rights
- Including stronger rights to receive information or, for example, to get access to, correct, delete, object to or restrict processing, rights to data portability, rights to be forgotten and higher requirements for legitimate processing, including for transparency and valid consent declarations.
Strengthened organisational requirements
The GDPR is more prescriptive around the compliance controls that must be in place including:
- Data processing registers - a register containing a record of the processing under the company’s responsibility must, in most cases, be maintained.
- Data Protection Impact Assessments - where processing is likely to result in a high risk to the rights and freedoms of natural persons, a data controller shall, prior to the processing, be required to carry out a formal assessment of the impact of the proposed processing operations. In cases where this assessment indicates that the processing would result in a high risk in the absence of measures to mitigate the risk, the supervisory authority must be consulted.
- Appointing a data protection officer (DPO) - this may be required where the core activities of the business involved regular and systematic monitoring of data subjects on a large scale or where special i.e. sensitive, categories of data are involved (e.g. health, race, sexual orientation, religion, political opinions) and data relating to criminal convictions and offences. It is worth noting here that a hotel group, OTA or restaurant chain, for example, could appoint a single DPO provided that the officer in question is accessible to all.
- Privacy by design and by default - ensuring that organisational and technical measures, ensure data protection principles are met both when determining how data will be processed and when conducting the processing itself, (such as data minimisation, and purpose limitation). These measures may also include security, pseudonymisation or other privacy-enhancing features.
- Security measures and breach notification - appropriate and reasonable state of the art technical and organisational security measures must be implemented in order to protect personal data processing and in the case of data breaches, these must be reported to the supervisory authority within 72 hours after becoming aware of the breach, in cases where these involve risks to the rights and freedoms of data subjects. In the case of high risks for data subjects, the subject will generally also have to be informed of the breach.
- Strengthened contractual obligations - implementing a data processing contract management strategy to review and update and enter into new data processing arrangements that incorporate stricter requirements of the GDPR. This will apply to processing agreements with a range of different parties including external service providers, intra-company agreements and joint data controller agreements with parties that together determine why and how personal data are processed (and where the responsibilities of each are clearly defined). Where the international nature of the group means that data is transferred from Europe to a country outside the European Economic Area then, depending on the transfer adequacy mechanism adopted, contracts may also need to be concluded and retained.
4.2 Accountability and Governance Systems
A core new feature of the GDPR is the need not simply to comply with the requirements of the legislation but also to be able to demonstrate and evidence that compliance in practice. For this reason, (and in order address some of these more compliance complex requirements of the GDPR) it is importance to have implemented a thorough accountability and governance system. This system should work across the group, particularly as data protection issues in one group company could lead to significant fines that hit the group turnover as a whole.
Key components of a governance structure will include:
- Defined roles and responsibilities - this may include a network of stakeholders across all relevant entities with responsibility for data protection as well as a central coordinating compliance officer able to provide ‘top-down’ instructions and advice but also allowing ‘bottom-up’ communication of issues and matters needing escalation across the business.
- Policies, and procedures - many of the requirements of the GDPR will only be successfully complied with in practice if supporting policies, protocols and procedures are drawn up, brought to the attention of employees and reviewed on an ongoing basis to make sure that they are being effectively implemented in practice.
- Training – governance, policies and controls to help drive compliance will only be as effective as the training that is provided to employees about their obligations and responsibilities under the GDPR. The GDPR includes specific obligations to ensure appropriate training for all employees with access to and use of personal data and the separate accountability obligations mean records that demonstrate training has been delivered should also be maintained.
Step 5: Local requirements
The GDPR will deliver far more harmonised requirements. However, it is worth nothing that certain provisions of the legislation will also allow EU member states to enact additional regulations that amend the local application of the GDPR, (for example this may include allowing specific local law exemptions or conditions relevant to specific processing operations) or to include additional rules (for example in relation to employment related requirements).
Additional local conditions, exceptions or requirements should be tracked as these emerge and assessed to establish any implications for the business and any local establishment of the group in that jurisdiction.
Step 6: Brexit
International hotel chains and hospitality businesses may have European headquarters or other establishments in the UK and be considering the impact that Brexit will have on their GDPR obligations. In practice the UK Government has confirmed that the GDPR, will take effect in the UK ahead of Brexit taking place, and that EU-derived law will be brought into the scope of the UK law under the ‘Great Repeal Bill’.
In practice the UK will need to adopt successor privacy laws either the same as, or very similar to, the EU GDPR in order to ensure a continued flow of data between Europe and the UK and so that data privacy obstacles do not become a barrier to trade and commerce. For these reasons there remains a need to ensure compliance with the requirements of the GDPR by UK businesses by May 2018 and with the likely equivalent UK law ‘GDPR-equivalent’ standards post Brexit.
Conclusion - Time to step forward
So with just over a year remaining of the two year countdown to the GDPR, there is still time for those in the hotels and wider hospitality sector who have yet to initiate their GDPR compliance programmes to take that important first step although the time to act is now!