Why everyone needs to pay attention to new data rules

GDPR compliance rules
If your hotel, spa, club, casino, cruise line, timeshare community or even short-term rentals holds personally identifiable information of an EU citizen, it is obliged to follow GDPR requirements. Photo credit: iStock/Getty Images Plus

The European Union’s General Data Protection Regulation, which has a compliance deadline of May 28, 2018, is a daily headline for our industry. Noncompliance includes huge fines and legal backing to uphold enforcement.

There are two levels of fines: the first is up to €10 million or 2 percent of a company’s global annual turnover of the previous financial year, whichever is higher; and the second is up to €20 million or 4 percent of a company’s global annual turnover of the previous financial year, whichever is higher. The regulatory fines are viewed on a per-case basis and are based on criteria such as the intentional nature of the infringement, how many people are impacted by the violation and whether the enterprise has had previous violations.

Currently, the GDPR is directly applicable to the 27 EU member states and to the European Economic Area member states (Liechtenstein, Iceland and Norway); and to any companies outside of the EU that offer goods or services to EU citizens.  If your hotel, spa, club, casino, cruise line, timeshare community or even short-term rentals holds personally identifiable information of an EU citizen it is obliged to follow GDPR requirements. Based on the international nature of the hospitality industry, that likely means a huge portion of our industry.  

FREE HOTEL MANAGEMENT NEWSLETTER

Like this story? Subscribe to Technology!

Hospitality professionals turn to Technology as their go-to news source for the latest technology products and trends. Sign up today to get news and updates on security systems, in-room entertainment, and more delivered to your inbox and read on the go.

Much is notable and new in the regulation. Data subjects, the individuals whose data is collected, have extensive rights. Among these are the right to have data completely removed from all storage or the “right to be forgotten,” the right to move your own data from one entity to another, the right to rectification of inaccurate data and the right of class-action lawsuits, plus many more.  In our litigious world, you can bet that in addition to the penalties for a violation, there are going to be civil lawsuits filed.  
 
If your hospitality enterprise is collecting the data, then you also need to manage it, track it and protect it. HFTP has taken on the task to develop guidelines for the hospitality industry via its HFTP GDPR/DPO Advisory Council, a team of global experts who are translating the regulation through the perspective of hospitality systems and processes. In preparation of the compliance deadline the council has developed resources which are available on the HFTP web site. This includes hospitality organization flow charts, a job description for a hospitality data-protection officer—a required position for certain companies under GDPR—and a template letter to vendors to inquire about compliance. And to keep the industry up-to-date and provide a range of analysis and tips is HFTP’s GDPR Bytes, https://gdpr.hftp.org/, which aggregates global content on GDPR from across the internet. 

For the few hospitality enterprises that might be excluded from GDPR, other countries are either in the process of similar regulations or have already implemented their own, including Canada, China, Singapore and South Korea. If your organization has not reviewed these regulations, put it on your agenda and pay attention to what companies are doing to build protections in their systems.

Suggested Articles

The hotel investment properties chief sees emerging trends on the horizon as investment patterns shift.

The 120-room Fairfield by Marriott hotel, now under construction in Kitimat, British Columbia, is slated to open in Q1 2020.

The hotel will be a conversion of the former Al Areen Palace & Spa.