The importance of May 25, 2018.
If you are reading this, you have probably been inundated with emails from companies announcing that they have adopted new and better privacy and security policies and procedures. This isn’t a coincidence Ð as of May 25, 2018, the EU’s General Data Privacy Regulation (GDPR), requires every organization that does business in the EU, or that collects information from EU citizens, to guarantee the privacy and accuracy of personal information. While the purpose of the GDPR is to strengthen and unify data protection for all individuals within the EU, its effect is worldwide; every organization that does business in the European Union or collects personal information from individuals in the European Union is subject to this regulation.
The GDPR is a watershed event that will impact every business that collects personal information, wherever located, and no industry will be more impacted that the hospitality industry. Other companies can choose not to do business with EU citizens; some companies have determined that it is impossible to comply and have actually closed. That is not an option for hotels. Hotel companies need to understand the goals and requirements of the GDPR. The nature of hotels and the various data holding sources such as OTA bookings and PMS systems escalate the regulation for travel and hospitality industries.
Severe consequences for non-compliance
The consequences for non-compliance can be extreme: The maximum fine that can be imposed for serious infringements of GDPR is the greater of Û20 million or four percent of an undertaking’s worldwide turnover for the preceding financial year. While no one knows yet how aggressive European regulators will enforce GDPR, and in particular how they will apply it to firms based outside the EU, there are already public interest groups that are targeting multinational companies, and it seems likely that there will be some fallout.
What you need to know
Complying with GDPR is not easy. The GDPR is based on general principles, which allow leeway Ð and confusion Ð for companies. The rules of the road are likely to become clearer as the regulation is implemented, but for now, each company must make hard decisions. The GDPR requires that an organization both comply with its principles and document compliance. It is more than just adopting a new privacy policy; it requires concrete actions, and recording those actions.
While the entire process of compliance is extensive and a continuing effort, firms should take on these concrete steps to get on the road to compliance:
1. Map your data
It is impossible to protect data if you don’t know what or where it is. Many companies collect data indiscriminately and keep it indefinitely; both of these are the exact opposite of what is required under the GDPR. A company must know what information it collects, where it stored, how it is used, and who has access to it in order to begin to comply. Importantly, companies must look not only at the data they collect directly; they need to consider data they obtain from others. For example, a hotel company will be responsible not only for personal data in reservations made directly with the hotel, but also for data from OTAs and other sources.
2. Appoint a Data Privacy Officer
Privacy and security demands attention from every level of an organization, but the GDPR emphasizes the need for a single individual or office to be responsible for evaluating security and compliance. Companies need to identify someone who is knowledgeable in the law and regulation of data security, as well as the firm’s individual business practices.
3. Review vendor agreements
Firms are responsible for anyone who uses the data they collect or obtain. This includes not only employees and others working directly for a firm, but also the companies we engage to perform services for us. Hotels use a bewildering array of vendors to provide services, ranging from credit card processing to marketing to personnel management Ð each of these entities need to comply in order for you to comply.
4. Update existing policies
It is likely that your existing privacy and security policies, both internal and external, need to be updated to reflect the requirements of the GDPR. Companies need to remember that the GDPR requires that companies provide actual privacy and security, and also prove that they do through applicable documentation. The policies have to be consistent with practice.
About the author
Bob BraunÊis a Senior Member of JMBM’s Global Hospitality Group and is Co-Chair of the Firm’s Cybersecurity & Privacy Group. He recommends that to deal with GDPR compliance, you also engage experienced counsel.
The JMBM Global Hospitality Group has joined with its Cybersecurity and Privacy Group to provide a unique set of skills: in depth knowledge of the hospitality industry, its players and practices, along with experience guiding a variety of firms, including hospitality companies, in complying with international privacy laws. They have developed both domestic and international resources, as well as technical partnerships, that allow ups to provide a full suite of services to clients.
Bob has more than 20 years experience in representing hotel owners and developers in their contracts, relationships and disputes with hotel managers, licensors, franchisors and brands, and has negotiated hundreds of hotel management and franchise agreements. His practice includes experience with virtually every significant hotel brand and manager.Bob also advises clients on condo hotel securities issues and many transactional matters, including entity formation, financing, and joint ventures, and works with companies on their data technology, privacy and security matters. These include software licensing, cloud computing, e-commerce, data processing and outsourcing agreements for the hospitality industry.
In addition, Bob is a frequent lecturer as an expert in technology, privacy and data security issues, and is one of only two attorneys in the 2015 listing of SuperLawyers to be recognized for expertise in Information Technology. Bob is on the Advisory Board of the Information Systems Security Association, Los Angeles chapter, and a member of the International Association of Privacy Professionals. Contact Bob Braun atÊ310.785.5331ÊorÊrbraun@jmbm.com.
This article was first published by Jim Butler and the Global Hospitality Group Hotel Lawyers | Authors of www.HotelLawBlog.com