Impact of GDPR on Hospitality Industry – Webinar Part 1

As the European Parliament announced the General Data Protection Regulation or GDPR last year, organisations need to ensure that they are aligned with the new law from May 2018. It’s quite difficult to cut through all the GDPR clatter and figure out how does GDPR effect your organisation.

In the interest of hoteliers in the EU member states, Cvent collaborated with Joanna Kolatsis – a partner at Hill Dickinson and head of the Aviation and Travel Team to host a webinar on the General Data Protection Regulation in the last month. This webinar intended to provide hoteliers with an overview of how the GDPR will impact the hospitality industry. In this blog, we’ll provide you with some key takeaways from the webinar.

GDPR Overview

• Significant ‘gear change’ for DP – The GDPR represents a significant ‘gear change’ for data protection across the EU.
• ‘Evolution’ not ‘Revolution’ – It has been billed as an evolution of data protection regulation – not a ‘revolution’.
• ‘One Stop Shop’ oversight – The main aim is to provide a ‘one-stop-shop’ oversight and regulatory system in each of the EU Member States and provide clarity in view of the ways in which data (and the use of data) has evolved over the years.
• Cybersecurity – It goes without saying that cybersecurity is going to be a key consideration for all businesses in view of the obligations under the GDPR. Now more than ever will it become necessary to ensure cybersecurity protection and prevention measures are in place in order to avoid possible data breaches and hefty sanctions under the GDPR.

GDPR and its origins

In April 2016, the European Parliament, Council and Commission agreed to the wording of the EU General Data Protection Regulation which was published on 5^th May 2016.

As an EU Regulation, it becomes directly applicable across all EU Member states as of the 25^th May 2018. The countdown to implementation is now in its final throes and only two months remain until the D day!

The objective of the GDPR is to harmonise data protection regulation across the EU. Over the course of time, data protection law varied from state to state and the aim of GDPR is to bring some much-needed clarity as to how EU data subjects can expect their data to be handled (across the EU and beyond) going forward.

The GDPR now takes account of the digital world that we live in a way that its predecessor, the Data Protection Directive, never did.  For example, when the original Data Protection Directive was published, we didn’t have social media platforms or online shopping in the same way that exists now.  The GDPR attempts to bring data protection regulation up to date in line with digital and online behaviours, in order to provide maximum protection to EU data subjects.

Key Changes

• Extraterritorial application. The GDPR applies both inside the EU and also to third countries where they are controlling or processing data of EU citizens.  Even if you are not an EU based organisation, but process or control data related to the offering of goods or services to individuals in the EU (irrespective of whether a payment is required), or the monitoring of their behaviour, in so far as their behaviour takes place within the EU – you will be expected to comply with the GDPR.
• Accountability. There is a big push towards accountability in the GDPR and the need to hold organisations responsible for data control and processing in general. Instead of submitting an annual registration to the national data protection authority, organisations will have increased responsibilities to maintain detailed records showing data protection compliance.
• ‘Personal data’ and ‘Sensitive data’. Personal data is defined within the GDPR as ‘any information relating to an identified or identifiable natural personal (‘data subject’). The means of identification can be a name, an identification number, location data e.g. IP addresses or one or more factors specific to the physical, genetic, physiological, economic or social identity among others.  You can see therefore that the definition of personal data alone is broad and expansive. Special categories of data, also called ‘Sensitive data’ remain with the GDPR but with an extended scope. This includes biometric and genetic data. 
• Wider scope than DPD. As mentioned earlier, GDPR is much wider in scope than its predecessor, the Data Protection Directive. Having just mentioned a few of the key changes so far, you can see just how much broader in scope it is and the justification for the EU’s extension of data protection rights across the region. 
• Consent. This is one of the biggest changes to the current data protection regime.  The provisions surrounding consent are far more stringent.  Going forward consent must be freely given by data subjects, specific, informed and unambiguous.  This is intended to be far more strictly applied under the GDPR.

• Direct compliance for data processors. Before it was the data controller who took the lion’s share of the responsibility for compliance. However, the GDPR introduces direct compliance obligations on data processors and gives data subjects the right to enforce against them directly. 

• Privacy by design and by default. This is another key change under the GDPR. It introduces the concept that data protection processes and procedures need to be developed to fit the business at hand as opposed to ‘off the shelf’ IT solutions alone.  It will be mandatory for data controllers to take data protection concerns into consideration when designing a new product or service.  An approved certification may be used as a means to demonstrate compliance going forward. 

• Privacy Impact Assessments (PIAs). PIAs will be mandatory in certain circumstances, for example, where processing of special categories or data or data relating to criminal offences take place on a large scale, where a systematic monitoring of publicly accessible areas takes place on a large scale, or where a systematic and extensive evaluation of the personal aspects of individuals based on automated processing (including profiling) takes place. 

• Data protection officers (DPOs). The role of the DPO is not necessarily a new obligation to some EU Member States but it will be in the UK. Data controllers and data processors must appoint a DPO where the processing is carried out by a public authority, or their core activities involve monitoring individuals on a large scale or where they process special categories of data, or data relating to criminal convictions and offences on a large scale.  The DPO must have expert knowledge of data protection law and practice. 

• Increased penalties for breaches. This change is perhaps the most talked about (and frightening) part of the GDPR. We will now have a much heavier penalty system by the way of a two-tier system of fines: 

– Up to 2% of annual worldwide turnover or EUR 10M (whichever is greater) for violations relating to internal record keeping, data processor contracts, data protection officers and data protection by design and by default;

– Up to 4% of annual worldwide turnover or EUR 20M (whichever is greater) for violations relating to breaches of the data protection principles, conditions for consent, data subjects’ rights and international data transfers.

•  Mandatory notification requirements. In the event of a data breach, this must be notified to the relevant authority without undue delay and within 72 hours of the breach occurring, unless it is unlikely to result in a risk to data subjects concerned. The data controller must provide reasoned justification if it is any later than that.  The data controller must also notify the data subject without undue delay if the breach is likely to result in a high risk to the individual unless the controller has implemented the appropriate technical capability to assess that it is no longer a high risk or it would involve a disproportionate effort.

If you’re thinking that’s all about GDPR, you’re not right! In this blog, we talked about GDPR, its origins and the key changes that it will affect. But we’re yet to tell you how you can apply GDPR to your business. Not just that, we’re also going to share a pre-designed GDPR plan that will work for your business. So, stay tuned until we come back with our next blog in this series!