In May, our email inboxes and internet browsing were inundated by messages of compliance for a new data-security regulation—-the European Union’s General Data Protection Regulation. For the hospitality industry, the new regulation holds significant weight due to the range of personal data we hold and the international nature of our guest database, including the EU citizens protected under GDPR. The reality though, is that hospitality companies outside the EU might still slowly be moving toward compliance, which is costly and time-consuming and not as high a priority.
I recommend that if your IT department has not taken steps toward protecting the personal data you have on file and managing it securely, it is time to move it up the strategic planning list. The EU GDPR is not the first data-protection regulation, and it won’t be the last. China, Canada and South Korea also have enacted regulations. And following suit, many states across the United States are enacting their own data protections. As the trend continues, it will become good business practice to have a stringent system of protection that will cover the multiple regulations protecting guest data. Here are some of the data-privacy laws enacted recently in the U.S.:
Vermont was the first state to lead the way to pass a more comprehensive law that goes beyond breach notification. The law, passed in mid-May, is focused on going after data brokers, which collect information from various sources and then resell it to businesses. To comply, data brokers in the state now will have to register with the state. The brokers also have to implement an information security program, allow consumers to opt out and notify authorities of any breaches. Also, if the state discovers that the broker is using the data for criminal activities, the state can take action against the company. Compliance will take effect Jan. 1, 2019.
The bigger consumer data-protection regulation is the California Consumer Privacy Act, passed in June, with enforcement starting Jan. 1, 2020. While it closely aligns with the GDPR, the California law is not as strict. The CCPA gives consumers the right to know what data a business holds on an individual, the right to disallow the sale of that data and the right to have it deleted. Under CCPA, a consumer can sue a company if it has a data breach and it is proven that the company was negligent in protecting the data. The consumer also has the right to know the purpose of the data collected. Differing from the GDPR is the requirement to opt-in to data collection (GDPR=required, CCPA=only for minors under age 16 for the sale of data).
The other difference between the regulations is enforcement. Rather than enforcement through a central governing body, the CCPA will be enforced through consumer lawsuits for data breaches. The rest of the act will be enforced via the California Attorney General at up to $2,500 per violation.
Other smaller, but notable laws have passed in 2018 across the United States. They include requirement for data-breach notification in Alabama, Arizona, Louisiana, Oregon, South Carolina, South Dakota and Virginia. Some states, including Colorado, Nebraska and South Carolina, require companies to put formal security policies in place.
Beyond the need to protect your company against heavy fines and reputational harm, I strongly believe it is the nature of our business to extend the hospitality to our guests by securely managing their information. It is a fact that cybercrime is big business, and in response your company strategy should make it a priority to protect guests from harmful use of their information. In the meantime, we aware of the wave of data-security regulations being passed and how they impact your data management.
Frank Wolfe is the CEO of Hospitality Financial and Technology Professionals. He can be reached at [email protected].