GDPR: Time to Panic?

Aimée Olley, Our Data Protection
Co-Ordinator provides some timely GDPR advice.

The deadline for hotels to comply with the new General Data Protection Regulations is fast-approaching. By the time this article is published, it may have already landed at our doors. So, should you be panicking?

Aimée Olley, Data Protection Co-Ordinator for Great National Hotels and Resorts provides some timely advice.

In short, the answer is no, or at least, not yet.

The likelihood is that you’ve already started the GDPR journey or are in the logistical nightmare of getting your data infrastructure, policies, related procedures and training boots laced up and polished, to an EU best-data-practice shine.

If it is of any comfort, many organisations from tech firms to consultants, public bodies and governments have put on record that they aren’t sure they’ll make the May 25th deadline. The Belgian Commissioner for data protection has said that even the Belgian Data Protection Authority will not be 100% compliant with the GDPR by the deadline.

Commissioner Debeukelaere also emphasised that the EU will need the legal system to help define aspects of the GDPR and so “compliance” will be a moving target for some time. He advised that a “period of three or four years will be necessary to assess the success or failure of the GDPR” and called the two-year implementation period “a really very short period of time”.

At Great National Hotels and Resorts, we took an early lead in the hospitality field. We started assessing our existing practices and procedures around data, refining our policies and training staff as early as last Summer 2017, whilst also providing initial supports for our hotel members and partners.

We’re maintaining a pragmatic approach to this as we look set to be fully compliant within the required deadline. Our view is that compliance will continue to evolve as the realities of this legislation become more apparent.

A pro-active ethos on this issue is both professional and prudent. By taking our responsibilities as an industry toward protecting personal data in line with best practice, we serve our customers’ best interests and ultimately the interests of our respective businesses.

Looking deeper at the new legal framework, very little has actually changed from the data protection legislation that already governs hotels. You will find that the positive steps in PCI compliance and IT-security that you’ve likely already made will possibly mean that only minor tweaks will be necessary to your existing practices, but perhaps with some more attention paid to documenting the processes that you already have put in place.

So, what has actually changed?

Under the GDPR, the previous Eight Rules of Data Protection have been amended to Seven Principles, in essence what’s contained within them is similar, but they have been revised and condensed.

Subject Access Request: This was already in place under the 1988 Data Protection Act. What has changed is the time-frame - from forty days to one calendar month - and the ending of the €6.35 (£5.00) fee. The removal of the charge is contentious. It wasn’t excessive, but it did have a purpose. It allowed businesses to add a further level of protection because it helped verify identities. Without this extra safeguard companies will have to be even more careful about who they release data to under a written request for access.

Stringent checks should be made to establish the identity of the applicant as without such identification processes there is a potential for this change to cause the very kind of data breaches we are supposed to be protecting against. Beware bogus Subject Access Requests ...

The potential financial impact of improper practices around the processing, storage and retention of personal-data has changed for companies in two main ways. Firstly, the sanctions that can be imposed by the Data Protection Commissioner have increased up to a whopping €20m or 4% of your annual turnover (whichever is greater) for tier one data breaches.

Secondly, changes have also been made in the personal litigation arena. An individual (data subject) could always sue under existing acts for material harm. With the GDPR, this also allows for legal action to be brought privately for non-material harm as well.

The rights of the individual have been expanded in a few ways. The conditions around consent have been strengthened, meaning that companies can no longer disguise consent for joining a marketing database in a long list of unintelligible T&Cs or make marketing an ‘opt-out’ condition.

Consent must be given clearly and unambiguously with terms provided in plain language rather than complex legalese. It also must be as easy to subsequently opt-out as it was to opt-in to the marketing. The first principle of the GDPR is of key importance here. It may be helpful to note that your existing database, whose information was lawfully obtained under current territorial data protection rules do not need to be contacted to opt-in to your database according to present legal advice, you do need to provide them with an easy way to unsubscribe and it would be prudent to consider removing or limiting contact to ‘cold’ members of your database (i.e. those who have not made use of your services in over twelve months).

Changes have also been made regarding breach notification and the right to be forgotten. The GDPR also introduces the concept of data portability for all the personal data concerning an individual.

Arguably the biggest alteration to the data privacy regulatory landscape comes with the extended jurisdiction of the GDPR.

Whereas the prior legislation governed business operating within the domestic territory, the new framework expands the protective horizons to include all companies processing personal data of any data subject residing in the European Union, regardless of the location of the company. Non-EU businesses will have to appoint a representative in the EU if they are processing the data of EU citizens.

The GDPR will not supersede existing legislative requirements in most cases. Some instances where hoteliers will have to draw up some seemingly contradictory personal practices are around fulfilling health, safety and insurance obligations along with Section 10 of the Immigration Act, and various employment laws.

It’s worth getting legal advice on all of your policies and third-party processing agreements to ensure they are covering the myriad of legislation you need to consider before signing-off on them.

The GDPR introduces privacy by design as a legal requirement. At its core, it ensures that companies

consider and include provision for data privacy in all aspects of their operations around personal data processing.

Attitudes to managing data have changed drastically in a short space of time, from ‘How can you get more data and use it to benefit your company? Big data is the key to Success!’ to

‘Big data is far too much trouble!’. Take the recent Facebook/Cambridge Analytica debacle as a case in point.

The way forward is somewhere in between: recognizing data as a business asset if managed correctly but as a business liability if mistreated.

There’s an old saying that ‘you should never waste a good crisis’ and with this in mind, our view is that this is an opportunity for hotels to lead the way in how client data is managed both prudently and professionally, and in doing so, we end up strengthening guest relations whilst building brand equity.

That’s a ‘win’ by any definition.

GDPR questions? Please contact Aimée Olley, Data Protection Co-Ordinator for Great National Hotels and Resorts at