• Follow us on:

 

Tech Talk

Recent posts

With the use of industrial robots on the rise, society has become aware of what the future of robots might mean for certain industries, especially the hospitality industry. But, what we know for sure is the continuous development for robots. Boston University students look into their purpose within the hospitality industry and how it might change 

Right now in your lobby or lurking around a corner, or in a small room or closet is a potential thief, one that is ignored or unnoticed because of its ubiquity. That’s your ATM, sitting there as an attack vector against our guests and your reputation. Jeff Parker opens up about the obvious threat sitting in your hotel lobby and how to best protect yourself.

The last two years have been invaded with mass data breaches and the hospitality industry has not been immune to these attacks. With the swell of guest data being collected today, security of Personally Identifiable Information (PII) is something hotels need to be particularly aware of. Boston University students look into data security and how to best protect your organization. 

In today's technological world, having a strong internet presence has become essential for every hotelier. Similarly, we can't overemphasize the importance of owning a professional-looking website. Nimesh Dinubhai explains the importance of a fresh and clean website and how it benefits your website in the long run. 

Innovation, technological advances and leadership have one major thing in common... you must be intentional to achieve progress and success in all three. And to ensure consistent improvement, you have to TPM: Think and Prepare before you Move. Renie Cavallari talks game-changing strategy for you and your team in the new year.



want to read more articles like this?

want to read more articles like this?

Sign up to recieve our weekly newsletter and monthly e-magazine and never ever miss an issue!

Subscribe

Keep up to date on all the latest industry news.

x
 

The European Union's General Data Protection Regulation: What Steps Must Members of the Hospitality Industry Take?

06/21/2017

US companies collect, analyze, and leverage consumer data to optimize efficiency, advertise and, hopefully, increase profits. However, with the rise of data breach incidents, varying laws and consumer demand pressure companies to secure networks, scrutinize vendor usage—such as security of one cloud processor versus another, and be transparent with "collection practices." Privacy officers and in-house counsels may already understand US data privacy is controlled by a patchwork of state and industry-specific federal laws. However, companies across the hospitality community are (or should be) racing against the clock to satisfy increased requirements of the EU's General Data Protection Regulation (GDPR), which becomes effective May 25, 2018. The GDPR will replace the current Data Protection Directive, which was well-intentioned, but inadequate in light of growing technologies. There are notable changes and increased obligations within the GDPR to which US businesses must adhere or risk huge financial penalties. This if the first of several articles updating readers on why the GDPR matters and what steps members of the hospitality industry should take to comply with the regulation.

The European Union's General Data Protection Regulation: What Steps Must Members of the Hospitality Industry Take?

1. Who does the GDPR affect?

The law is geographically expansive as it applies to the processing of EU residents’ personal data (name, ID number, reference to a physical, economic, or cultural identity of a person, etc.) regardless of the company/processor’s location. For instance, if a hotel markets its services to EU residents beyond merely having a website, than it will likely be controlled by the GDPR. Practically speaking, any organization desirous of European customers—regardless of whether the organization has a European-based office—must comply with the GDPR.

2. What are the consequences if a company does not comply with the GDP

US companies controlling or processing data of EU residents face increased penalties for violating the new regulation. Fines can reach 4 percent of annual global revenue, or 20 million Euros per violation. The regulation also grants European Supervisory Authorities the power to ban a company’s data collection practices altogether. Obviously, US companies cannot afford to mishandle security of EU residents’ data. Below, I list some of the GDPR issues/requirements most applicable to the hospitality industry:

  • Stricter Technical and Organizational Security Measures
  • New Data Subject Consent Rules
  • More Demanding Breach Notification Rules; and
  • Vendor Scrutiny and Use of Business Associate Contracts

Stricter Technical and Organizational Security Measures

Unlike some state/federal laws and the current European Data Protection Directive, the GDPR increases the safeguards a company must take to protect customer information against unauthorized access, accidental loss or alteration. The regulation mandates companies implement appropriate technical and organizational measures. "Appropriate" actions include, but are not limited to:

(1) "Encryption" or "Pseudonymization" of personal data—The regulation explicitly names encryption as a technique to avoid improper disclosure of customer information. Encryption software often comes at a higher cost and has its administrative obstacles. As a result, some businesses may instead benefit from "pseudonymization" of personal data. Hospitality members should know the GDPR does not apply to consumer information unrelated to identifiable persons and, further, expressly approves pseudonymization—the concept of removing personal "identifiers" from information to eliminate a link to one's identity—which would remove data from the scope of the GDPR. Encryption and/or pseudonymization help organizations meet other GDPR requirements as well. For example, depending on the risk of harm, companies must notify European authorities and citizens following a data breach incident (the subject of another article). Since encryption/pseudonymization reduce the risk of harm to EU citizens, companies using these techniques stand a higher chance of avoiding costly reporting obligations.

(2) A contingency plan amidst a technical incident (such as a cyber attack or “ransomware” event)—Companies under the GDPR should have an emergency plan establishing how they will respond and operate during a data breach incident. For example, during a cyber attack on a hotel chain, the hotel should be prepared with a plan employees have practiced so appropriate personnel can (a) identify what data has been compromised, (b) trigger "back up" data for normal business operations, (c) work with the in-house IT team (and potentially an outside forensic specialist) to contain/eradicate an attack, (d) restore operating systems, and (e) examine alongside counsel the various legal obligations arising out of the event.

(3) Utilize regular tests to evaluate effectiveness of technical/organizational security measures—For example, an IT “penetration test” is a simulated attack on a computer network to identify security strengths and weaknesses. Such a tactic assists businesses to identify what software/issues need addressing to improve security. Also, administrative fire drills to test the aforementioned contingency plan will help businesses prepare for a data breach incident.

Keep in mind GDPR violations carry heavy penalties that could crush small businesses. Documenting steps you have taken to address the above issues may establish mitigating factors that could go a long way towards dramatically reducing penalties amidst a GDPR audit.

This article only broadly addresses the GDPR's technical and organizational security requirement. Contact a privacy attorney to analyze the best approach for your organization and to understand the finer points of the GDPR's technical/organizational requirements.



[1] GDPR Article 3.

[2] “A Primer on the GDPR: What You Need to Know.” Bowman, Courtney, December 23, 2015

[3] GDPR Article 83(5). It should be noted consumers have a right to judicial remedy against companies and processors under the GDPR.

[4] GDPR Article 58.

[5] GDPR Article 32; GDPR Recital 49.

About The Author
Sam Crochet Esq. CIPP-US

Hall Booth Smith, PC


Sam Crochet, Esq. is a CIPP-US certified attorney at Hall Booth Smith, PC. He specializes in data privacy/security matters and civil litigation. He assists clients with data breach response, HIPAA compliance, development of cybersecurity/privacy policies and procedures and preparation for the EU's General Data Protection Regulation (GDPR).

 
Comments
Blog post currently doesn't have any comments.
Leave comment



 Security code