The General Data Protection Regulation, or GDPR, is an upcoming regulation in the EU that was created to protect data and privacy for EU citizens. It comes into effect on the 25th of May. This regulation replaces the Data Protection Directive, in effect since 1995.
The misuse and breach of user data has been a hot topic of late with the news of Cambridge Analytica gaining access to over 87 million users (possibly a lot more) on Facebook without consent through misrepresentation. This has contributed to the growing awareness that data has tremendous value in the marketplace. Technology companies have grown to wield a lot of power and influence, but there haven’t been any meaningful safeguards put in place in the US to prevent abuse like we saw in the Cambridge Analytica case.
Generally the EU has been much more strict and proactive with their rulemaking around the way data is handled on behalf of its citizens. While the US leads the world in software and technology, I would say that the polarization, revolving door, and special interests in politics (especially with media companies) have created an atmosphere for a very different regulatory environment. The glacial pace of rulemaking around ADA compliance for the web is a good example of this effect. Whatever the case may be, regulations around data handling, misuse, and storage has been slow to develop in the US and much more reactive than their counterparts in Europe.
I will provide more detail on the items that need further elaboration, but here’s a rundown of the more straightforward requirements:
- Organizations must appoint a Data Protection Officer (with expertise around data protection laws) who is responsible for handling and managing the data in the company.
- Under GDPR, companies must provide users with the retention time for personal data, how it’s being used, and contact information for the Data Controller and Data Protection Officer.
- EU citizens will have the right to request that personal information be erased from a database, and be given the ability to move their data elsewhere.
- Data protection must be designed into the product or services; privacy settings have to be set at a high level by default rather than by choice.
The reporting requirement says you must report known data breaches to the affected individuals within 72 hours. Individual users have to be notified if they’re negatively impacted, but there’s an exception from this requirement if the data that was breached was encrypted.
This liability is pretty broad – if a third party you work with was breached, the reporting requirement applies to you also. You would be smart to have some kind of mechanism or agreement with any third parties you work with to notify your data compliance officer. The DCO would then need a process in place to notify users within that 72 hour window.
Who & what it applies to
GDPR has a pretty broad scope. It applies to any individual, company, or third party that stores, collects, or processes data from any citizen of the EU. The same level of protection has to be applied for everything that’s covered – this would include personal information (name, address, phone, SSN), IP, and cookies.
Here’s a more complete list of things that are covered by GDPR from Wikipedia:
- Basic identity information such as name, address and ID numbers
- Web data such as location, IP address, cookie data and RFID tags
- Health and genetic data
- Biometric data
- Racial or ethnic data
- Political opinions
- Sexual orientation
There are some exemptions to GDPR, with more likely to come through litigation:
- If consent was explicitly given
- Processing of data is required as part of a contract, or necessary to meet a legal obligation
- It’s needed to protect vital interests of the person, or someone else
- It’s necessary in the public interest or through official authority
We don’t yet know the level of enforcement that will accompany the regulation, but analogous to similar situations, I’d expect that a number of large organizations will be targeted early to set the tone (e.g. the Marriott, Booking.com, Airbnb’s of the world). The regulation itself uses language that can be vague (e.g. “reasonable expectations”), so some of it will be open to interpretation. It will be up to the courts to provide clarity and put some guidelines in place for compliance and infractions.
One very important thing to note is that this regulation doesn’t meaningfully differentiate between an entity (you) and a third party. If a third party service or vendor you work with is not in compliance, neither are you – and you will be held equally liable. So the first thing you need to do is to know how your users’ personal data is flowing through your organization, and how it’s being handled and stored.
This survey found that 22% of companies that hold data from EU citizens are not even aware that they must be GDPR compliant. That same survey said that 64% of companies don’t yet have a data compliance officer, and 66% don’t know whether personal data is deleted forever in their systems as required by GDPR.
Penalties are severe! A lot of this will have to be defined more granularly by the courts, but this is what we know from what’s been published so far:
- Warnings for first-time offenders or for “non-intentional” non-compliance
- Regular audits will follow for violators
- A fine of up to 10 – 20 million Euros!
What travel & hospitality brands need to do
For most organizations, the risk will be with the third parties you work with – your PMS, GDS, CRM, and all the marketing tools and SAS companies. But here’s what we suggest you do if you’re a travel or hospitality brand:
- If you haven’t already, start planning for GDPR from the top down.
- Identify a lead, create an internal GDPR policy, implement and have regular check-ins and audits.
- Identify all internal systems or third parties that must be compliant, and which are housing data from EU citizens.
- Hire a data protection officer (DPO) or find a reputable third party who provides this service.
- Create a policy for all new relationships, tools, software for compliance with GDPR.
- Have the DPO take a lead on creating a detailed response plan (for a 72 hour response).
For more detail, visit: https://www.eugdpr.org/