PART 2: The European Union’s General Data Protection Regulation: Two Important Steps to Take

Featured on Hospitality Upgrade Magazine’s Tech Talk.
Written by: Sam Crochet, Esq.

In my June column, we discussed why the General Data Protection Regulation (GDPR) matters to the hospitality industry and the technical/organizational steps members should take to comply with the regulation. Practically speaking, any U.S. company desirous of European customers must comply with the GDPR as of May 25, 2018, or risk facing penalties as high as 4 percent of global revenue.

In this segment, we move on to two key requirements of the GDPR that supervisory authorities will be monitoring (and enforcing) closely: consent and breach notification.

1. Changes to How Hospitality Members Must Obtain “Consent” to Collect Data

The GDPR requires companies to give European consumers the chance to “opt in” to data collection by a statement or clear affirmative action. Presentation of the “opt in” request must be clear and concise. This is a stark shift from the former EU regime and the opposite of many U.S. state/federal laws. The rule requires major overhaul in written policies and customer forms (both digital and paper). For example, a hotel’s online booking page displaying pre-ticked boxes for consenting to the collection of names, email addresses, and telephone numbers will no longer suffice. Likewise, a hotel’s collection of personal information based on consumer inactivity or silence in the face of a privacy notice does not trigger consent. Instead, the consumer must be given the chance to express affirmative action at either ticking an empty box or providing some other explicit consent such as submitting a signature. Further, for those companies hoping to gain opt-in consent through electronic signatures that succeed boiler plate language, the GDPR requires organizations provide consent requests that are closely linked to the processing activity through clear affirmative action regarding that specific collection practice. Similarly, when data processing has multiple purposes, consent must be obtained for each purpose (i.e. marketing versus customer service).

Additionally, the GDPR gives consumers the right to withdraw consent at any time. Companies must notify consumers of this right before obtaining consent and, once consent is withdrawn, consumers can request their personal information be erased.

2. Changes to the Data Breach Notification Rules for Many Hospitality Members

Perhaps no section of the GDPR reflects increased consumer protectionism as much as the new data breach notification rules. Hospitality members under the GDPR will face far greater exposure to costly breach reporting requirements for EU citizens’ data than with U.S. consumers since there is more “personal data” under the GDPR. “Personal data” is any information relating to an identifiable natural person. This could feasibly be everything from names, telephone numbers, email addresses and photographs to IP addresses, online cookies, and mobile device IDs. Less restrictive U.S. state/federal laws often require “personal data” to include a full name and a social security, driver’s license, or financial account number. Given this increased exposure under the GDPR, hospitality members should immediately analyze the scope of the information they collect to determine how vulnerable they are to the GDPR’s definition of “personal data.” Depending on what data is being collected, companies will need to immediately reform their policies pertaining to breach response and subsequent notifications. On a side note, it is highly advisable to practice “pseudonymization” as data is only “personal” under the GDPR if it can be linked to an identifiable person. By de-humanizing information, a company can often avoid the obligations of the GDPR, costly breach reporting requirements, and the public relation storms that often follow a data breach.

In the event of a data breach involving EU residents’ data, U.S. companies will have to report the event to certain European Supervisory Authorities within 72 hours of obtaining notice of the breach. This is more precise than many state laws, which generally include a “reasonable time period” or “without undue delay” standard. Further, whereas notification to the European Supervisory Authorities turns on whether there is a general “risk” to the consumer, the obligation to provide notification to consumers themselves turns on whether there is “high risk” to the consumer. Thus, when reviewing or developing a breach response procedure, hospitality members under the GDPR need to factor whether a breach’s risk to a consumer meets this high standard, at which point it would have to provide immediate consumer notice. This ambiguity could trouble hospitality members struggling to respond in the hours and/or days following a breach. The GDPR does offer some clarity, indicating “high risk” may incorporate severe vulnerabilities such as threat of identity theft, financial loss, fraud, discrimination, and/or damage to reputation.

GDPR auditors will not smile kindly on U.S. companies seeking loopholes in the law. The highest potential fines will be reserved for companies violating the most basic principles for processing, such as consent or breach notification.

Hospitality members can reduce exposure under the GDPR by performing a full risk assessment starting with the scope and legal significance of their data collection practices. (1) Revising internal policies/procedures to accommodate the GDPR’s consent and notification requirements and (2) tailoring breach response protocol to the timing and risk/high risk test will go a long way toward avoiding a violation and, most importantly, will document the compliance steps members have taken in the event of an EU audit.