Preparing for May's New Data Protection Rules

by John Barchie, Arrakis Consulting

As of May 25, 2018, hotels accepting reservations from citizens of a European Union (EU) country could be at risk for fines, depending on how those reservations were made. This is because hotels will fall under the purview of the new General Data Protection Regulation (GDPR) when it takes effect.

GDPR was designed to better protect EU citizen data and ensure that companies storing that data should possess it. Standards vary based on where the data originates from, but generally any information like name, address, credit card number, etc. is covered. In the U.S., protected data is defined as Personally Identifying Information (PII). And, as defined by GDPR, for a EU citizen it is known as Personal Data. Failure to protect the PII or Personal Data to the right standard could bring a hefty bill, or upon consistent failure, even an order to cease business in EU countries.

Current U.S. based data privacy regulations require companies to notify customers if a data breach occurs, but in the U.S. there can be a significant time delay between the breach and the notification letter, not so with GDPR. GDPR requires the Supervisory Authorities be notified within 72 hours, even while a breach is still being investigated. Failure to report within 72 hours could lead to significant fines. Maximum fines could be up to US$26 miilion or 4% of global gross revenue, whichever is greater.

Hotels will be affected by the complexity of GDPR because, similar to travel companies, they gather credit card PII and Personal Data from EU subjects. So, essentially, if an EU citizen plans to come to the U.S. on vacation and engages in the transaction from the EU or via an EU website then the hotel may be subject to GDPR if the transaction consent form is not properly worded. That’s right, GDPR requires a consent form prior to processing EU citizens’ personal data.

For hotel chains that have a global presence GDPR is even more stringent. All of their locations will potentially be affected, and certainly those locations in EU nations. If a hotel is investigated and is found to be non-compliant with GDPR, then regulators have the ability to fine the hotel, or ban the organization from EU business. Additionally, if violating hotel brand is unfazed by a ban and decides to sell all of its EU-based hotels GDPR can then seize the money from the sale and also instruct all travel agencies in the EU to not use that hotel chain in other regions of the world for any EU customers. This would be a huge hit for any hotel chain, no matter how large.

The first step toward compliance for hotels is determining the need for and if necessary, assigning a Data Protection Officer (DPO). A company will be required to have a DPO if it processes large sums of data covered by GDPR. This person must be available and involved in any events where there is a possibility of a loss of GDPR covered data. The DPO will be the point person for any GDPR issue with the affected persons and the Supervisory Authority. Obviously, because the DPO will be instrumental in proving your company’s compliance with GDPR this individual needs to know the regulations and your security protocols inside and out, backward and forward. If your company is not required to have a DPO, you should still have a plan in place for who you will call if the Supervisory Authority opens an investigation.

Of course, hotels cannot stop there. All Personal Data needs to be evaluated to determine if the business is legally allowed to receive, store, or process the data. Any unlawful possession of data covered under GDPR will be viewed as a serious violation.

Any Personal Data that is lawfully received, stored or processed by a company needs to be encrypted. This means completely encrypted at rest and in transit, complete end-to-end encryption. GDPR does not allow for lenience regarding outdated software or new implementations that are being investigated for deployment. If hotels did not plan on upgrading or do not have the budget to upgrade outdated software and leave it in place they will be held accountable and in violation of GDPR if a breach occurs. All of these efforts need to be documented so they can be given to a Supervisory Authority upon request.

Companies will also now be required to complete Data Protection Assessments and Privacy Impact Assessments. And, will be expected to increase visibility into what level of impact a breach might have for customers and the company if one occurs. And again, these efforts need to be documented and presented to Supervisory Authorities upon request, in order to show a ‘willingness to comply’ with GDPR.

Another key component of GDPR the hospitality industry should be aware of is the requirement for simple opt-in and opt-out of Personal Data sharing. Data subjects must have a clear and concise method of consenting to having their GDPR data collected from them as well as complete understanding of how their data will be used and stored. There can be no confusion on the consent message at all, and there will likely need to be multiple consent forms. The data subject must also have the ability to revoke consent in a manner just as easy as invoking consent.

There are many other components of GDPR that hotels should familiarize themselves with and comply to if required. The best source of information on the regulation requirements is

Once GDPR takes effect, if your hotel experiences a breach or is contacted by a GDPR Supervisory Authority the best course of action is to show an attitude of compliance by offering complete support for the investigation. Then, contact your legal team. It is important to remember that complying with GDPR can be complex. It takes some time to update systems and processes to the level of security required by the new regulations. It can also be costly, and disruptive, but the protection of data is becoming paramount in the new business paradigm. For GDPR the cost of compliance is geared to be less than the cost of sanctions.