The European Union’s new General Data Protection Regulation will soon be a reality for businesses, so here are a few things to be mindful of.
GLOBAL REPORT—If they’ve been paying attention, hoteliers should already know they have a massive challenge ahead of them with the European Union’s looming General Data Protection Regulation, which goes into effect 25 May 2018.
The GDPR’s new rules threaten massive financial punishment in the case of data breaches or mishandling of data. The worst offenses will incur fines of either 4% of a company’s “global turnover” or €20 million ($23.7 million), depending on which is greater.
A recent webinar hosted by Hospitality Financial & Technology Professionals discussed what hoteliers should be aware of regarding the new rules. Here are a few key takeaways:
1. It means creating a new job description, possibly
Chief among the news rules is that organizations handling sensitive data must assign a “data protection officer.” But Alvaro Hidalgo, managing partner for First Logic Consulting, noted the DPO doesn’t necessarily need to be an employee.
“The law requires the mandatory appointment of an entity or person,” he said. “The tasks of a DPO can be handled by a company.”
Appointing a third-party as opposed to a person to the DPO role also means making sure that company is compliant with EU rules, Hidalgo noted.
2. It doesn’t just affect European companies
Companies outside of Europe also need to be mindful of the new rules, Hidalgo said, because they apply not only to “all organizations established in the EU,” but also those that “offer goods and services to EU residents” or “monitor the behavior of EU data subjects.”
That means many companies in the U.S. and elsewhere will have to meet the bar set by the new regulations or face the consequences.
3. Rules are now standardized across the EU
Despite the harsh punishments, the GDPR will provide businesses with the benefit of a single set of rules to follow, Hidalgo said.
He said the GDPR will essentially create a “single privacy regime across the EU.” Companies are required to have a single DPO contact if they operate in multiple European countries, as opposed to DPOs for each country.
“From the point of view of handling (data protection) for a multinational company, it is actually a straightforward process,” he said. “You don’t need to go country-by-country checking how the law applies.”
He said one area in which the rules will continue to differ will be data relating to employee performance.
4. Companies have to now answer to what data they collect, and why
Hidalgo said the new rules put more pressure on companies to track the entire process of when data is collected and handled, and to give justifications for what they’re doing. Companies are now required to show things like a “legitimate interest” or “contractual obligation” to store potentially sensitive data.
“And (the reason) must be kept as a record so there is no assumption for why did they record it,” he said. “There must be a conclusive registry of why certain data were collected.”
Consumer preference data would fall within that “legitimate interest” threshold, Hidalgo said, but the company needs to clearly establish why it’s keeping that data.
5. Who is as important as what
The new rules don’t just put pressure on what kinds of data hoteliers and other businesses can amass, but also on who can collect it and in what way, Hidalgo said.
Companies must keep track of the chain of the data, meaning a record of who collects the data and then who accesses it both internally and externally.
“The law requires you to be specific and put in place procedures on whom the data the can be shared with both internally and externally,” he said.