Sam Crochet, Esq.
©2017 Hospitality Upgrade
This work may not be reprinted, redistributed or repurposed without written consent.
For permission requests, call 678.802.5302 or email info@hospitalityupgrade.com.
If your organization is proactive or you’ve followed my past TechTalk articles, you may already be aware of the significant changes in store when the EU General Data Protection Regulation (GDPR) takes effect May 25, 2018.
Members of the U.S. hospitality industry who market to or collect personal information (PI) from EU residents are racing against the clock to satisfy the GDPR’s increased demands. Failure to comply carries stiff financial consequences – up to 4 percent of global annual revenue per violation or $20 million Euros – whichever is higher.
There’s more bad news: Compliance isn’t a quick fix. Hospitality members who meet this data collection criteria must undergo operational reform and involve the C-suite to accommodate GDPR requirements.
What are the key issues the hospitality community must address in order to be compliant? How about some of the troubling ambiguities within the GDPR that even well-informed organizations are still seeking to resolve.
Does the GDPR Apply to My Company?
The regulation is geographically expansive. It applies to any company that processes EU residents’ data – regardless of that company’s location. Simply put, if your organization markets its goods or services to EU residents beyond merely having a website, the GDPR applies. Practically speaking, hotel chains, casinos, auto-rental agencies and other hospitality members face considerable exposure to the GDPR given marketing strategies and the ease with which EU residents use these domestic services.
What Is the New Consent Requirement?
U.S. hospitality members subject to the GDPR will have to revise internal policies, vendor contracts and privacy notices. Why? The GDPR demands you provide consumers the chance to “opt in” to data collection. This is generally contrary to current European and U.S. state and federal laws. Selection screens that display pre-ticked boxes, silence or inactivity will not trigger consent under the GDPR. Your request for consent must be clear and concise. You can no longer require consumers’ consent in order to let them use your service. Finally, when data processing has multiple purposes (like marketing vs. operations vs. IT), you must obtain consent for each purpose.
New Breach Notification Rules
If a data breach or cyber attack involves EU residents’ personal information, you must report the event to EU Supervisory Authorities within 72 hours. That’s a drastic contrast to many U.S. federal and state laws, which often allow far more time for companies to collect evidence and consider response strategies. The key to deciding if your company has suffered a reportable breach is the degree to which the incident risks what the GDPR terms consumers’ “rights and freedoms.” First, this measurement is ambiguous. Second, the tight deadline is likely to create major headaches for companies wrestling over whether to notify EU Supervisory Authorities and consumers.
What Types of Violations Will EU Officials Watch Out for the Most?
EU privacy officials have wide discretion to levy penalties of up to 4 percent of global revenue, or $20 million euros, whichever is higher. But a closer reading of the regulation suggests some violations will be treated more harshly than others. Maximum fines appear reserved for acts that infringe on consumers’ “complex rights.” This includes the aforementioned consent to collect PI, but also the “right to erasure.” It allows consumers to delete PI from a company or cloud database when the data is no longer necessary, the consumer withdraws consent, or the data reveals sensitive information like ethnicity or race. EU officials will pay special attention to companies that fail to alert business associates or cloud providers to delete a consumer’s PI in a timely manner.
Will We Have to Hire an Independent Data Protection Officer (DPO)?
Some companies should. It’s probably wise to have a DPO or, at minimum, an internal privacy professional who’s intimately familiar with GDPR requirements. However, many members of the hospitality community may not need a DPO. Compare the GDPR text to the EU’s “Article 29 Working Party” guidelines. It seems clear that U.S. companies subject to the GDPR need a DPO only if their core activities consist of processing operations that require regular and systematic monitoring of data subjects (customers) on a large scale.
This is confusing. While many hospitality members do regularly collect and/or analyze customers’ PI on a large scale – for operational, billing or marketing purposes – it isn’t part of their core business activities. Examples of core activities include a hospital whose essential purpose is to provide safe healthcare – something it can’t do without effectively collecting and analyzing patients’ personal health records. Or think of a private security firm that provides surveillance at public parking lots. That’s tightly linked to the collection of personal information. Practically speaking, data collection done solely for secondary reasons, like billing, IT support or other service-related functions, isn’t a core activity.
EU privacy officials have wide discretion to levy penalties of up to 4 percent of global revenue, or $20 million euros, whichever is higher. 
What Type of Data Breach Triggers the 72-Hour Notification Requirement?
Hospitality members subject to the GDPR will have to report breaches to EU supervisory authorities where there is a “risk to the rights and freedoms of natural persons.” Further, a high risk necessitates reporting the breach to consumers themselves. Examples include processing that gives rise to potential discrimination, reputation damage, profiling (i.e., data analysis concerning behavior, finances, interests, etc.), identity theft, financial loss, and loss of information pertaining to children.
Supervisory authorities will also consider whether the PI reveals sensitive details like racial/ethnic origins, political or religious opinions, genetic or health data, or sexual orientation.
If a U.S. company subject to the GDPR conducts a data protection impact assessment (DPIA) – which the GDPR requires in situations where PI collection poses a “high risk” to consumers – it also must notify those consumers down the line should the same PI be breached. Therefore, when evaluating a breach, hospitality members must ask themselves whether the subject PI was also the focus of a prior DPIA. This will set of red flags if the EU investigates.
Hospitality members subject to the GDPR must immediately begin operational reform to address these concerns. Remember, these are only a small portion of the issues that GDPR compliance will create. Your best bet is to find a privacy professional who’s intimately familiar with the GDPR to help you guarantee compliance and avoid costly penalties.
Sam Crochet, Esq., is a CIPP-US certified attorney at Hall Booth Smith, PC. He specializes in data privacy/security matters and civil litigation and assists clients with data breach response, HIPAA compliance, development of cybersecurity/privacy policies and procedures and preparation for the EU's General Data Protection Regulation (GDPR).