• Follow us on:

 

Tech Talk

Recent posts

When people go on holidays or travel for business, they often stay in a hotel. Staying at a hotel can be a great experience. However, in today’s digital era, when travelers are informed and well connected, their perceptions and desires are changing. Nimesh Dinubhai shares the power of the personal touch to make all guests feel valued. 

Consumers are growing more comfortable using smart devices at home and while traveling. Asking their AI-enabled products to do everything from opening the front door to turning off lights has become almost second-nature. However, realize that the more Internet of Things (IoT) devices you connect to your network, the more possible access points to your IT systems and data stores you open for cyber attackers. Dean Coclin looks into the risk of devices and security measures to protect them from intruders.

A recent study finds that 89 percent of sites leave their users' accounts potentially exposed to hackers due to unsafe password practices. Do yours fall within the majority? Geneva Rinehart discusses which websites might need a password update. 

If the 2017 holiday season taught us anything, it’s that consumers are not just eager but ready for voice search engine technologies. They were the season’s hottest trend in gift buying, whether it was smartphones with voice search capabilities or digital virtual assistants like Apple’s Siri, Amazon’s Echo and Google Home. Nimesh Dinubhai talks about the importance of implementing voice techonology now to stay ahead of the curve.

May 25 is quickly approaching, and the streets are abuzz with GDPR. Hoteliers are struggling for guidance and everyone has a thought or opinion as to what getting to GDPR compliance means. The worst part is so many hotels receiving incomplete or faulty information and will be in for a rude awakening soon. David Durko gives a checklist for hoteliers to focus on compliancy as the deadline quickly approaches. 



want to read more articles like this?

want to read more articles like this?

Sign up to recieve our weekly newsletter and monthly e-magazine and never ever miss an issue!

Subscribe

Keep up to date on all the latest industry news.

x
 

The European Union's General Data Protection Regulation: What Steps Must Members of the Hospitality Industry Take?

06/21/2017

US companies collect, analyze, and leverage consumer data to optimize efficiency, advertise and, hopefully, increase profits. However, with the rise of data breach incidents, varying laws and consumer demand pressure companies to secure networks, scrutinize vendor usage—such as security of one cloud processor versus another, and be transparent with "collection practices." Privacy officers and in-house counsels may already understand US data privacy is controlled by a patchwork of state and industry-specific federal laws. However, companies across the hospitality community are (or should be) racing against the clock to satisfy increased requirements of the EU's General Data Protection Regulation (GDPR), which becomes effective May 25, 2018. The GDPR will replace the current Data Protection Directive, which was well-intentioned, but inadequate in light of growing technologies. There are notable changes and increased obligations within the GDPR to which US businesses must adhere or risk huge financial penalties. This if the first of several articles updating readers on why the GDPR matters and what steps members of the hospitality industry should take to comply with the regulation.

The European Union's General Data Protection Regulation: What Steps Must Members of the Hospitality Industry Take?

1. Who does the GDPR affect?

The law is geographically expansive as it applies to the processing of EU residents’ personal data (name, ID number, reference to a physical, economic, or cultural identity of a person, etc.) regardless of the company/processor’s location. For instance, if a hotel markets its services to EU residents beyond merely having a website, than it will likely be controlled by the GDPR. Practically speaking, any organization desirous of European customers—regardless of whether the organization has a European-based office—must comply with the GDPR.

2. What are the consequences if a company does not comply with the GDP

US companies controlling or processing data of EU residents face increased penalties for violating the new regulation. Fines can reach 4 percent of annual global revenue, or 20 million Euros per violation. The regulation also grants European Supervisory Authorities the power to ban a company’s data collection practices altogether. Obviously, US companies cannot afford to mishandle security of EU residents’ data. Below, I list some of the GDPR issues/requirements most applicable to the hospitality industry:

  • Stricter Technical and Organizational Security Measures
  • New Data Subject Consent Rules
  • More Demanding Breach Notification Rules; and
  • Vendor Scrutiny and Use of Business Associate Contracts

Stricter Technical and Organizational Security Measures

Unlike some state/federal laws and the current European Data Protection Directive, the GDPR increases the safeguards a company must take to protect customer information against unauthorized access, accidental loss or alteration. The regulation mandates companies implement appropriate technical and organizational measures. "Appropriate" actions include, but are not limited to:

(1) "Encryption" or "Pseudonymization" of personal data—The regulation explicitly names encryption as a technique to avoid improper disclosure of customer information. Encryption software often comes at a higher cost and has its administrative obstacles. As a result, some businesses may instead benefit from "pseudonymization" of personal data. Hospitality members should know the GDPR does not apply to consumer information unrelated to identifiable persons and, further, expressly approves pseudonymization—the concept of removing personal "identifiers" from information to eliminate a link to one's identity—which would remove data from the scope of the GDPR. Encryption and/or pseudonymization help organizations meet other GDPR requirements as well. For example, depending on the risk of harm, companies must notify European authorities and citizens following a data breach incident (the subject of another article). Since encryption/pseudonymization reduce the risk of harm to EU citizens, companies using these techniques stand a higher chance of avoiding costly reporting obligations.

(2) A contingency plan amidst a technical incident (such as a cyber attack or “ransomware” event)—Companies under the GDPR should have an emergency plan establishing how they will respond and operate during a data breach incident. For example, during a cyber attack on a hotel chain, the hotel should be prepared with a plan employees have practiced so appropriate personnel can (a) identify what data has been compromised, (b) trigger "back up" data for normal business operations, (c) work with the in-house IT team (and potentially an outside forensic specialist) to contain/eradicate an attack, (d) restore operating systems, and (e) examine alongside counsel the various legal obligations arising out of the event.

(3) Utilize regular tests to evaluate effectiveness of technical/organizational security measures—For example, an IT “penetration test” is a simulated attack on a computer network to identify security strengths and weaknesses. Such a tactic assists businesses to identify what software/issues need addressing to improve security. Also, administrative fire drills to test the aforementioned contingency plan will help businesses prepare for a data breach incident.

Keep in mind GDPR violations carry heavy penalties that could crush small businesses. Documenting steps you have taken to address the above issues may establish mitigating factors that could go a long way towards dramatically reducing penalties amidst a GDPR audit.

This article only broadly addresses the GDPR's technical and organizational security requirement. Contact a privacy attorney to analyze the best approach for your organization and to understand the finer points of the GDPR's technical/organizational requirements.



[1] GDPR Article 3.

[2] “A Primer on the GDPR: What You Need to Know.” Bowman, Courtney, December 23, 2015

[3] GDPR Article 83(5). It should be noted consumers have a right to judicial remedy against companies and processors under the GDPR.

[4] GDPR Article 58.

[5] GDPR Article 32; GDPR Recital 49.

About The Author
Sam Crochet Esq. CIPP-US

Hall Booth Smith, PC


Sam Crochet, Esq. is a CIPP-US certified attorney at Hall Booth Smith, PC. He specializes in data privacy/security matters and civil litigation. He assists clients with data breach response, HIPAA compliance, development of cybersecurity/privacy policies and procedures and preparation for the EU's General Data Protection Regulation (GDPR).

 
Comments
Blog post currently doesn't have any comments.
Leave comment



 Security code