The purpose of the GDPR is to provide a standard set of data protection laws across all member countries so that EU citizens can clearly understand how their data is being used or raise any complaints. The GDPR builds upon the 1995 Data Protection Directive 95/46/EC, which governed the processing of personal data, and refreshes the legislation to suit the modern day. Failure to comply with the GDPR can cost organizations up to 4% of annual global turnover or €20 million in fines.
HTNG Consultant member and principal of Schulz Consulting, Finn Schulz, explains that one of three subjects need to be in the EU in order for a company to abide by the GDPR: the data subject, the data controller or the data processor. The data subject is the individual whose personal data is being pulled (name, IP address, etc.). The data controller is the body determining the purpose for the information. Finally, the data processor pulls and stores the actual data. It’s important to note an outsourced data processor is now subject to direct scrutiny by the EU Data Protection Agencies, whereas in the past the data controller was responsible for the adherence of engaged processors.
Schulz advises the travel industry to expect the biggest impact of this regulation to be made over the Internet, with call centers and print advertising to follow.
Consider an EU citizen booking a hotel room online; the individual initiates the transaction and creates a contract with the hotel. The hotel now automatically acts as a controller and processes the individual’s data until check out. At that point, the contract is complete and the hotel cannot hold any information without consent from the individual; this scenario complies with the GDPR.
However, the hotel could fall out of compliance if it holds onto the guest’s information afterward or if other personal data unknown to the guest was indirectly collected, such as racial or religious indicators. Note: there are certain local regulations that may require hotels to retain traveler data, which can supersede these rules.
Some hospitality experts believe inherent consent is given by enrolling in a loyalty program. The use of a loyalty program is the easiest method to store guest profiles, but still requires consent by the data subject. A loyalty program can serve as a joint controller throughout a brand, but the data being stored, the purpose of collection and the length of retention also needs to be made public to the individual when signing up.
Schulz views historic data as the main privacy issue for the travel industry. “Best practices include having as little data as possible, justification for what is necessary and proof of consent,” Schulz said.
Schulz expressed that the time of retention is the most overlooked aspect of the regulation. A company should first research to determine if it falls in scope and understand that one of three elements (data subject, data controller or data processor) must be in the EU for the regulation to be applicable. If the company does fall in scope of the regulation, it should then establish what personal data is collected and where it is stored. Companies must then evaluate and reduce this data to only necessary fields, and instill this moving forward.
“My advice for companies is: Take this seriously, do your research and make sure your processes are in place,” said Schulz. “The regulation is not meant to fine as many organizations as possible but to build openness and trust between customers and businesses.”
HTNG’s GDPR for Hospitality Workgroup is producing an executive-level white paper describing key considerations, use cases and impacts of the regulation, focusing on top areas the hospitality industry must address in order to prepare for GDPR Compliance.
Schulz and Richard Sheinis, CIPP-US, Hall Booth Smith, P.C., will speak on the GDPR topic at HT-NEXT (www.ht-next.com) in a session titled, “Demystifying GDPR: Everything you Need to Know and Were Afraid to Ask,” taking place on Wednesday, March 14 in San Diego.