© 2009 Hospitality Upgrade. No reproduction without written permission.
Managing around the legal complexities of global cross-border data transfer from European Union (EU) countries has been the rule rather than the exception, because for multinationals, such as international hotel companies with EU and non-EU business entities, managing within the legal boundaries of EU data protection can be a daunting task.
Not only that, the recent proliferation of centralized systems and global hotel expansions add more complexity to the standard regulations regarding the legal use of personal data. Hotel companies that have an interfaced central customer database, or a central HR system with global talent management and similar functionality; and that are operating in and outside of Europe, need to be aware that: a) the EU does not allow the transfer of personal data from Europe to other countries without an adequate level of protection; b) in these types of central systems the data is stored depending on certain rules, such as the guest being a loyalty program member, and data is accessed depending on a role, such as the marketing communications manager. Where data processing occurs is irrelevant.
This changes the privacy landscape considerably, so what are the options? You can address these legal constraints for Europe, Canada, Argentina and via Safe Harbor in the United States. But for the other countries there really are only two methods:
1 Contracts. Individual contracts will need to be signed between all entities of the organization that exchange personal data. For example, a global company operating 50 hotels will need to process 1,225 contracts because the 50 hotel entities must also sign individual contracts with their sister hotels. Add on top of that the liability issue that is addressed in such contracts, which effectively makes it an addendum to your contract with the owner, and you can quickly see that this mesh-approach can become quite complicated and going the contractual route may not be desirable in all instances.
2 Binding Corporate Rules. It has recently become possible for multinationals to transfer personal data outside of Europe but within their business entities, by the adoption of binding codes of corporate conduct by the organization. These are known as binding corporate rules (BCR). These rules are, in effect, the creation of a global privacy standard for multinational corporations under EU law. BCR is an excellent tool for cross-border privacy protection, because they are adapted to business needs, involve less paperwork, increase awareness in the organization, enhance trust, and are also auditable.
For binding corporate rules to be approved a specific framework needs to be adhered to and compliant data security and data protection policies and procedures need to be in place. The BCR needs to be certified and has to fulfill EU national legal requirements, which means that your company’s data protection advisor must be fully involved right from the initial planning stage.
Going the binding corporate rules route should not be viewed as a quick and easy step, because it will mean a change in business practices and can even include a change in corporate culture. Privacy must become part of the general corporate governance principles: an internal international complaint-handling mechanism, audits and external reporting, a network of privacy officers, and mandatory rules for all employees worldwide.
Therefore BCR goes beyond the realm of IT governance and which of the two methods you choose also depends upon the needs of your organization.
However, many of the IT prerequisites for BCR could already be put in place as part of your PCI compliance program and catching these two birds with one stone is an efficient approach to preparing your company for global expansion.
After years of management experience in hospitality EU data protection, Wibecke Vinke consults in hospitality IT-related organizational processes and projects. She can be reached at www.wvinke.com, +41-79-2320575, w@wvinke.com.
Useful Links or Downloads:
A Compliance Roadmap
Principles by which binding corporate rules can be approved:
- Binding nature (internally and externally)
- Effectiveness (training, complaint handling, privacy officers, audit program)
- Cooperation duty
- Description of processing and data flows
- Mechanism for reporting and recording changes
- Data protection safeguards (privacy principles, transparency)
Corporate Governance:
Binding Corporate Rules
Binding Privacy Principles
Risk Assessment
Audits & Reporting
Privacy Officers
Compliant Handling
Legal Verification
Employee Training
Certification
Information Technology:
Implementation -
Update Information Security Systems
Data Mapping
Third-Party Requirements
Disaster Recovery Planning
Control Mechanisms
Training IT Staff
Policies & Procedures -
Information Security
IT Functions
End Users
Contracts
IT Security
Operations:
Implementation -
Update Applications
Data Management
Third-Party Reqirements
Business Continuity Planning
Control Mechanisms
Training Operational Staff
Policies & Procedures -
System Functionality
Data Stored
Working Methods
User Rights
Process Definition