Why everyone needs to pay attention to new data rules

GDPR compliance rules
If your hotel, spa, club, casino, cruise line, timeshare community or even short-term rentals holds personally identifiable information of an EU citizen, it is obliged to follow GDPR requirements. Photo credit: iStock/Getty Images Plus

The European Union’s General Data Protection Regulation, which has a compliance deadline of May 28, 2018, is a daily headline for our industry. Noncompliance includes huge fines and legal backing to uphold enforcement.

There are two levels of fines: the first is up to €10 million or 2 percent of a company’s global annual turnover of the previous financial year, whichever is higher; and the second is up to €20 million or 4 percent of a company’s global annual turnover of the previous financial year, whichever is higher. The regulatory fines are viewed on a per-case basis and are based on criteria such as the intentional nature of the infringement, how many people are impacted by the violation and whether the enterprise has had previous violations.

Currently, the GDPR is directly applicable to the 27 EU member states and to the European Economic Area member states (Liechtenstein, Iceland and Norway); and to any companies outside of the EU that offer goods or services to EU citizens.  If your hotel, spa, club, casino, cruise line, timeshare community or even short-term rentals holds personally identifiable information of an EU citizen it is obliged to follow GDPR requirements. Based on the international nature of the hospitality industry, that likely means a huge portion of our industry.  

Mediterranean Resort & Hotel Real Estate Forum

Experience the Opportunities in Mediterranean Resort Investment | 17–19 October 2018

Join 300 of your industry peers at the 4th annual MR&H in Athens, Greece, to experience exclusive investment and development opportunities available in the Mediterranean.

Much is notable and new in the regulation. Data subjects, the individuals whose data is collected, have extensive rights. Among these are the right to have data completely removed from all storage or the “right to be forgotten,” the right to move your own data from one entity to another, the right to rectification of inaccurate data and the right of class-action lawsuits, plus many more.  In our litigious world, you can bet that in addition to the penalties for a violation, there are going to be civil lawsuits filed.  
 
If your hospitality enterprise is collecting the data, then you also need to manage it, track it and protect it. HFTP has taken on the task to develop guidelines for the hospitality industry via its HFTP GDPR/DPO Advisory Council, a team of global experts who are translating the regulation through the perspective of hospitality systems and processes. In preparation of the compliance deadline the council has developed resources which are available on the HFTP web site. This includes hospitality organization flow charts, a job description for a hospitality data-protection officer—a required position for certain companies under GDPR—and a template letter to vendors to inquire about compliance. And to keep the industry up-to-date and provide a range of analysis and tips is HFTP’s GDPR Bytes, https://gdpr.hftp.org/, which aggregates global content on GDPR from across the internet. 

For the few hospitality enterprises that might be excluded from GDPR, other countries are either in the process of similar regulations or have already implemented their own, including Canada, China, Singapore and South Korea. If your organization has not reviewed these regulations, put it on your agenda and pay attention to what companies are doing to build protections in their systems.