Featured on Hospitality Upgrade Magazine’s Tech Talk.
Written by: Sam Crochet, Esq.
US companies collect, analyze, and leverage consumer data to optimize efficiency, advertise and, hopefully, increase profits. However, with the rise of data breach incidents, varying laws and consumer demand pressure companies to secure networks, scrutinize vendor usage—such as security of one cloud processor versus another, and be transparent with “collection practices.” Privacy officers and in-house counsels may already understand US data privacy is controlled by a patchwork of state and industry-specific federal laws. However, companies across the hospitality community are (or should be) racing against the clock to satisfy increased requirements of the EU’s General Data Protection Regulation (GDPR), which becomes effective May 25, 2018. The GDPR will replace the current Data Protection Directive, which was well-intentioned, but inadequate in light of growing technologies. There are notable changes and increased obligations within the GDPR to which US businesses must adhere or risk huge financial penalties. This if the first of several articles updating readers on why the GDPR matters and what steps members of the hospitality industry should take to comply with the regulation.
The European Union’s General Data Protection Regulation: What Steps Must Members of the Hospitality Industry Take?
1. Who does the GDPR affect?
The law is geographically expansive as it applies to the processing of EU residents’ personal data (name, ID number, reference to a physical, economic, or cultural identity of a person, etc.) regardless of the company/processor’s location. For instance, if a hotel markets its services to EU residents beyond merely having a website, than it will likely be controlled by the GDPR. Practically speaking, any organization desirous of European customers—regardless of whether the organization has a European-based office—must comply with the GDPR.
2. What are the consequences if a company does not comply with the GDP
US companies controlling or processing data of EU residents face increased penalties for violating the new regulation. Fines can reach 4 percent of annual global revenue, or 20 million Euros per violation. The regulation also grants European Supervisory Authorities the power to ban a company’s data collection practices altogether. Obviously, US companies cannot afford to mishandle security of EU residents’ data. Below, I list some of the GDPR issues/requirements most applicable to the hospitality industry:
- Stricter Technical and Organizational Security Measures
- New Data Subject Consent Rules
- More Demanding Breach Notification Rules; and
- Vendor Scrutiny and Use of Business Associate Contracts
Stricter Technical and Organizational Security Measures
Unlike some state/federal laws and the current European Data Protection Directive, the GDPR increases the safeguards a company must take to protect customer information against unauthorized access, accidental loss or alteration. The regulation mandates companies implement appropriate technical and organizational measures. “Appropriate” actions include, but are not limited to:
(1) “Encryption” or “Pseudonymization” of personal data—The regulation explicitly names encryption as a technique to avoid improper disclosure of customer information. Encryption software often comes at a higher cost and has its administrative obstacles. As a result, some businesses may instead benefit from “pseudonymization” of personal data. Hospitality members should know the GDPR does not apply to consumer information unrelated to identifiable persons and, further, expressly approves pseudonymization—the concept of removing personal “identifiers” from information to eliminate a link to one’s identity—which would remove data from the scope of the GDPR. Encryption and/or pseudonymization help organizations meet other GDPR requirements as well. For example, depending on the risk of harm, companies must notify European authorities and citizens following a data breach incident (the subject of another article). Since encryption/pseudonymization reduce the risk of harm to EU citizens, companies using these techniques stand a higher chance of avoiding costly reporting obligations.
(2) A contingency plan amidst a technical incident (such as a cyber attack or “ransomware” event)—Companies under the GDPR should have an emergency plan establishing how they will respond and operate during a data breach incident. For example, during a cyber attack on a hotel chain, the hotel should be prepared with a plan employees have practiced so appropriate personnel can (a) identify what data has been compromised, (b) trigger “back up” data for normal business operations, (c) work with the in-house IT team (and potentially an outside forensic specialist) to contain/eradicate an attack, (d) restore operating systems, and (e) examine alongside counsel the various legal obligations arising out of the event.
(3) Utilize regular tests to evaluate effectiveness of technical/organizational security measures—For example, an IT “penetration test” is a simulated attack on a computer network to identify security strengths and weaknesses. Such a tactic assists businesses to identify what software/issues need addressing to improve security. Also, administrative fire drills to test the aforementioned contingency plan will help businesses prepare for a data breach incident.
Keep in mind GDPR violations carry heavy penalties that could crush small businesses. Documenting steps you have taken to address the above issues may establish mitigating factors that could go a long way towards dramatically reducing penalties amidst a GDPR audit.
This article only broadly addresses the GDPR’s technical and organizational security requirement. Contact a privacy attorney to analyze the best approach for your organization and to understand the finer points of the GDPR’s technical/organizational requirements.
GDPR Article 3.
“A Primer on the GDPR: What You Need to Know.” Bowman, Courtney, December 23, 2015
GDPR Article 83(5). It should be noted consumers have a right to judicial remedy against companies and processors under the GDPR.
GDPR Article 58.
GDPR Article 32; GDPR Recital 49.