What Europe’s data protection regulation means for hotels

INTERNATIONAL REPORT—Hotels gathering personal data from guests in Europe will have to comply with regulation passed last year by the European Union, even if properties are located outside of the politico-economic union’s geographic reach.

Adopted by the EU in April 2016, the General Data Protection Regulation (GDPR) applies to personal data—defined as “any information related to a natural person or ‘data subject’ that can be used to directly or indirectly identify the person.” Online identifiers such as IP addresses are also grouped up. “The GDPR is a continuation of law in the EU to regulate the processing of personal data—information that can be used to identify a living individual,” said Oliver Yaros, senior associate in the intellectual property & IT group at international law firm Mayer Brown.

When the GDPR goes into effect—at the end of May 2018—it’ll replace the Data Protection Directive, which was adopted by the EU in 1995. Unlike its predecessor, the new regulation doesn’t require any enabling legislation to be passed by national governments. This prevents EU member countries from applying the GDPR differently.

Drafted to stay true to the original directive’s guiding principles, the regulation aims to take data protection efforts a few steps further by strengthening data protection for all individuals within the EU, harmonizing data privacy laws throughout Europe, and reshaping how organizations within the politico-economic union handle data privacy.

“It’s been in response largely to the demand by consumers to get privacy back,” said John Wethington, CEO of mysensitivedata.com. “The interesting thing about the changes, though, is they’re really broad. The previous legislation was narrowly focused—in general, business friendly. The language in there was very nebulous.”

One of the biggest changes to data protection regulation across the continent resulting from the GDPR going into effect: regardless of location, all companies processing the personal data of individuals within the EU’s borders are obligated to comply with the law.

For example, with regard to the hospitality and lodging industry, hoteliers offering guestrooms to individuals who usually live in Europe are going to have to abide by the GDPR’s measures, Yaros explained; however, how European data protection authorities will enforce the updated data protection regulation on countries outside of the EU is another matter up for discussion. “Obviously, there are organizations that have a worldwide presence—hotels in Europe, hotels in America and elsewhere—then it’s conceivable that the authorities might take an interest in how those organizations are targeting individuals in Europe for their non-European hotels, for example, and they might try to take action against their European establishments,” he suggested.

Other key changes include sanctions: fines up to 4% of annual global turnover or €20 million (about $21.1 million)—whichever is greater. The GDPR’s approach to fining organizations is tiered. Potential sanctions also include warnings and regular periodic data protection audits.

Some believe previous legislation on the matter protected companies from being accused of any wrongdoing by accepting due diligence as an excuse for breaches or other security attacks. In other words, companies did the bare minimum to protect data. “Up until the last two or three years, due diligence has been this thing that was almost a get-out-of-jail-free card,” Wethington said. “With the GDPR, there’s no due diligence clause, and the penalties are massive.”

Another aspect of the GDPR is consent. Companies will no longer be able to hide conditions of consent behind unfathomable legal verbiage. It must also be just as easy to withdraw consent. Additionally, children under a certain age cannot give consent.

Under the GDPR, organizations will have to notify supervisory authorities of a breach (this must be done within 72 hours of first having become aware of the breach). When personal data is likely to adversely affect privacy, guests must be notified without delay.

Worthy to note: the right to access and the right to be forgotten. The former requires organizations to be able to provide guests with obtained data concerning them specifically. The latter gives guests the right to request the removal of personal data.

Probably one of the more controversial components of the GDPR is the data protection officer (DPO) requirement. “The DPO role, from my perspective, is something that could potentially be fulfilled via contractor or even through a managed service, or something like that—although I will say that most of your larger organizations will opt to simply bring someone in who has that experience and knowledge,” Wethington said. “It’s going to be important for that individual to have a working knowledge of not just privacy concerns and compliance, but also a clear understanding of IT (the landscape there) and the ability to work across departmental boundaries. The role is unique. I think it’s going to put a substantial burden on recruiters and HR alike because there are not a lot of people out there right now who are properly qualified to do this work.”

The DPO will also be taking on a tremendous risk, especially with entities that have been traditionally targeted. “If Yahoo had a DPO at the time it lost a billion accounts—that guy doesn’t have a job, whether it was his fault or not. He doesn’t have a job,” he noted.

Even though the DPO will ultimately be held accountable, many organizations will establish a DPO office to help comply with the GDPR. “I think it’s going to be a team,” Wethington said. “I think it’s really going to require different levels and layers.”

There’s some wiggle room in the GDPR for national parliaments to provide input—the processing of personal data of a child (Article 8) is an example. “It may well be in certain countries you get different age limits for who is a child for data protection purposes, so there might be small regional variations on how the GDPR is implemented, but I don’t think there are going to be any important amendments before 2018,” Yaros said.

To prepare for the upcoming changes, from a legal perspective, mapping out where personal data is coming from and what is being collected is the first step, Yaros said.

“Are we collecting personal data about European individuals only using our European subsidiaries, or are we collecting information about them outside Europe, as well, and why are we processing that?” Yaros asked. The next stage is for an organization to take a look at the new obligations under the GDPR and figure out how they would need to comply.

“We often just collect data because we can,” Wethington said. “I think we need to move beyond the ‘I got it because they were willing to give it to me’ because that doesn’t work anymore.”

He also stressed the importance of understanding where data is coming from, noting how little organizations know about the data they may or may not have on hand. “If I asked you how much money you have and where it was, you could probably answer it, but you can’t do that with your data, and that’s a very scary thing,” he said. His rule of thumb: If you don’t need the data, then delete it; it will decrease risk dramatically.

“I think it’s important to bear in mind that the GDPR won’t become implemented until May 2018, so there’s [time]to get ready for how this will affect businesses,” Yaros concluded. HB

To see content in magazine format, click here.