• Follow us on:

 

Tech Talk

Recent posts

In my June column, we discussed why the General Data Protection Regulation (GDPR) matters to the hospitality industry and the technical/organizational steps members should take to comply with the regulation. Practically speaking, any U.S. company desirous of European customers must comply with the GDPR as of May 25, 2018, or risk facing penalties as high as 4 percent of global revenue.

I’m a numbers guy so let’s start with a few from this year’s HITEC. HFTP, who produces HITEC, turns 65 years old this year, HITEC celebrated 45 years in existence by setting an attendance record, and Hospitality Upgrade is celebrating its 25th birthday. And you couldn’t help but feel the buzz in Toronto as Canada prepared to celebrate its sesquicentennial (150 years) the Saturday after HITEC.

Last year was a pivotal one for independent hotels, per STR, an American company that tracks supply and demand data for multiple market sectors, which revealed that these ‘un-branded’ properties had greater overall average daily rate (ADR) and revenue per available room (RevPAR) than their branded hotel brethren. Expedia, Inc. dug deep into its Q1 2017 data to shed light on the continued rise of independents in 2017, and offer tips for independent properties to best leverage this momentum.

Employee engagement has been getting more attention from executives, especially as more practitioners worry about the shift in workforce mentality and what employees expect from their organizations. Jimmy Lin shares three vital building blocks to engage (and retain) employees. 

Hotel template websites while being a cheap and fast way to set up your website are not recommended if you are looking to make the most of your money.

want to read more articles like this?

want to read more articles like this?

Sign up to recieve our weekly newsletter and monthly e-magazine and never ever miss an issue!

Subscribe

Keep up to date on all the latest industry news.

x
 

PART 2: The European Union's General Data Protection Regulation: Two Important Steps to Take

07/18/2017
In my June column, we discussed why the General Data Protection Regulation (GDPR) matters to the hospitality industry and the technical/organizational steps members should take to comply with the regulation. Practically speaking, any U.S. company desirous of European customers must comply with the GDPR as of May 25, 2018, or risk facing penalties as high as 4 percent of global revenue.

In this segment, we move on to two key requirements of the GDPR that supervisory authorities will be monitoring (and enforcing) closely: consent and breach notification.
 
1. Changes to How Hospitality Members Must Obtain "Consent" to Collect Data
 
The GDPR requires companies to give European consumers the chance to “opt in” to data collection by a statement or clear affirmative action. Presentation of the “opt in” request must be clear and concise. This is a stark shift from the former EU regime and the opposite of many U.S. state/federal laws. The rule requires major overhaul in written policies and customer forms (both digital and paper). For example, a hotel's online booking page displaying pre-ticked boxes for consenting to the collection of names, email addresses, and telephone numbers will no longer suffice. Likewise, a hotel's collection of personal information based on consumer inactivity or silence in the face of a privacy notice does not trigger consent. Instead, the consumer must be given the chance to express affirmative action at either ticking an empty box or providing some other explicit consent such as submitting a signature. Further, for those companies hoping to gain opt-in consent through electronic signatures that succeed boiler plate language, the GDPR requires organizations provide consent requests that are closely linked to the processing activity through clear affirmative action regarding that specific collection practice. Similarly, when data processing has multiple purposes, consent must be obtained for each purpose (i.e. marketing versus customer service). 
 
Additionally, the GDPR gives consumers the right to withdraw consent at any time. Companies must notify consumers of this right before obtaining consent and, once consent is withdrawn, consumers can request their personal information be erased. 
 
2. Changes to the Data Breach Notification Rules for Many Hospitality Members
 
Perhaps no section of the GDPR reflects increased consumer protectionism as much as the new data breach notification rules. Hospitality members under the GDPR will face far greater exposure to costly breach reporting requirements for EU citizens' data than with U.S. consumers since there is more “personal data” under the GDPR. “Personal data” is any information relating to an identifiable natural person. This could feasibly be everything from names, telephone numbers, email addresses and photographs to IP addresses, online cookies, and mobile device IDs. Less restrictive U.S. state/federal laws often require "personal data" to include a full name and a social security, driver’s license, or financial account number. Given this increased exposure under the GDPR, hospitality members should immediately analyze the scope of the information they collect to determine how vulnerable they are to the GDPR’s definition of “personal data.” Depending on what data is being collected, companies will need to immediately reform their policies pertaining to breach response and subsequent notifications. On a side note, it is highly advisable to practice “pseudonymization” as data is only “personal” under the GDPR if it can be linked to an identifiable person. By de-humanizing information, a company can often avoid the obligations of the GDPR, costly breach reporting requirements, and the public relation storms that often follow a data breach.
 
In the event of a data breach involving EU residents’ data, U.S. companies will have to report the event to certain European Supervisory Authorities within 72 hours of obtaining notice of the breach. This is more precise than many state laws, which generally include a “reasonable time period” or “without undue delay” standard. Further, whereas notification to the European Supervisory Authorities turns on whether there is a general “risk” to the consumer, the obligation to provide notification to consumers themselves turns on whether there is “high risk” to the consumer. Thus, when reviewing or developing a breach response procedure, hospitality members under the GDPR need to factor whether a breach’s risk to a consumer meets this high standard, at which point it would have to provide immediate consumer notice. This ambiguity could trouble hospitality members struggling to respond in the hours and/or days following a breach. The GDPR does offer some clarity, indicating “high risk” may incorporate severe vulnerabilities such as threat of identity theft, financial loss, fraud, discrimination, and/or damage to reputation. 
 
GDPR auditors will not smile kindly on U.S. companies seeking loopholes in the law. The highest potential fines will be reserved for companies violating the most basic principles for processing, such as consent or breach notification.
 
Hospitality members can reduce exposure under the GDPR by performing a full risk assessment starting with the scope and legal significance of their data collection practices. (1) Revising internal policies/procedures to accommodate the GDPR's consent and notification requirements and (2) tailoring breach response protocol to the timing and risk/high risk test will go a long way toward avoiding a violation and, most importantly, will document the compliance steps members have taken in the event of an EU audit.
About The Author
Sam Crochet Esq. CIPP-US

Hall Booth Smith, PC


Sam Crochet, Esq. is a CIPP-US certified attorney at Hall Booth Smith, PC. He specializes in data privacy/security matters and civil litigation. He assists clients with data breach response, HIPAA compliance, development of cybersecurity/privacy policies and procedures and preparation for the EU's General Data Protection Regulation (GDPR).

 
Comments
Blog post currently doesn't have any comments.
Leave comment