Why Europe’s New Data Privacy Regulation Should Have Your North American Restaurant or Hotel On Alert

Press enter to search
Close search
Open Menu

Why Europe’s New Data Privacy Regulation Should Have Your North American Restaurant or Hotel On Alert

By John Farley, Vice President and Cyber Risk Practice Leader at Hub International - 10/16/2018

If you’re not yet concerned about the EU’s new General Data Protection Regulation (GDPR), you should be.

Effective May 2018, GDPR attempts to safeguard EU residents’ identity by mandating that all businesses collecting, storing or processing EU residents’ personal information must abide by its rules. These include restrictions on profiling guests in targeted advertising, reporting a data breach to EU regulatory authorities and affected EU residents within 72 hours and requiring written consent to collect EU resident data.

You don’t do business in the EU? GDPR affects any business that offers goods or services to EU citizens, or handles their personal data. That includes anyone with European customers – U.S. hotels and restaurants, online retailers and those that sell goods overseas. In today’s digital age, the EU GDPR applies to enterprises worldwide. 

Already covered by cyber insurance? There is no such thing as a “standard” cyber insurance policy. Some cyber insurance policies can be broad in coverage scope while others can be quite restrictive. Some cyber policies require a trigger to respond, like a network breach or intrusion, and therefore, will not respond to GDPR regulatory investigations, legal fees and subsequent fines. Fines can be as high as four percent of an organization’s annual revenue, or 20 million EUR, whichever is greater.

The following common exclusions may apply to your business’ cyber policy, as GDPR isn’t necessarily covered:

  • Regulatory fines. Pay close attention to coverage for fines and be aware of potential pitfalls, including:
    • Regulatory fines for data-use practices in the absence of a breach
    • Intentional violations by rouge employees leading to coverage denials
    • Coverage for punitive damages 

GDPR follows EU residents to your hospitality venue

GDPR applies to all businesses that collect, store or process the personal information of any EU resident - regardless of the business’ location. This includes any hotel and restaurant venues that serve EU residents as patrons.

Important GDPR highlights include: 

  • Data-breach reporting is mandatory within 72-hours. GDPR requires businesses to notify EU regulatory authorities and affected individuals of a data breach within 72 hours, in the most stringent reporting requirement in the world.
  • Demonstrate that you obtained consent. You’ll need to demonstrate that you obtained consent on behalf of the data subject before collecting their information. Consent must always be given explicitly and cannot be assumed. Reliance on pre-checked boxes, silence or no activity could be considered a violation of the consent provision.
  • Targeted profiling restrictions will now apply. Restrictions apply to targeted advertising, specifically when monitoring the behavior of individuals for commercial purposes, such as profiling and other use of personal information for analytics. 
  • Start documenting collection procedures. Documentation of data collection and processing activities is required by GDPR. 
  • Appoint a data-protection officer. Organizations with more than 250 full-time employees that carry out large scale systematic monitoring of individuals, or large scale processing of special categories of personal data, will be required to appoint a data protection officer. The data protection officer will be required to conduct a formal data-protection impact assessment before engaging in risky data processing activities.
  • Re-examine data retention policies. Data subjects will have enhanced rights, including the right to be forgotten. This will force companies to minimize or eliminate the data subjects’ digital footprint and re-evaluate data retention policies.
  • Engage in privacy impact assessments. GDPR is requiring organizations to undertake data-privacy impact assessments in the event that the relevant processing operation is “likely to result in high risk to the rights and freedoms of natural persons.”

Hospitality venues face significant GDPR exposure – in many cases more than other industries. In addition to instituting best practices when it comes to data collection and potential breach scenarios, talk to your cyber broker as there may be additional ways to secure broader coverage and successfully transfer risk exposure.