The Gist on GDPR

General Data Protection Regulation (GDPR) unifies the data protection rules across Europe, strengthening the rights of EU residents by emphasizing transparency and accountability.

At the heart of GDPR is protecting consumers’ personal data — not only name, address, date of birth, but also health information, IP addresses, mobile device identifiers, geo-location, biometric data, psychological identity, genetic identity, economic status, religion and sexual preference to name a few.

The regulation empowers consumers. GDPR says individuals have to give permission for a company to collect their data. No longer can a company add consumers to email lists without their permission. Consumers have to give a company permission to collect their data. And the more personal the data — the opt-in permission request must be even more clear.

At any time a consumer can request access to all the data that has been collected concerning him or her, and the right to have it deleted or moved to another party. 

 If there is a data breach, an organization must notify individuals within 72 hours of its discovery.

If you’re a U.S.-based business and think that this doesn’t affect you, think again. Even if you don’t have operations in Europe, if you have European residents as customers, you could be affected. Many companies, including hospitality organizations, are still not prepared with adequate security measures in place.

In Compliance Point’s GDPR Readiness survey, 45.6% of businesses reported that they have not become compliant because they are waiting to see what enforcement comes from the regulation.

Noncompliance could be a catastrophic decision, as fines for non-compliance are up to 20 million euros (approximately $23.5 million) or 4 percent of a company’s global annual income, whichever is higher.