GDPR stands for the General Data Protection Regulation that globally impacts the processing of all personal data of residents in the European Union (EU).
1. General Data Protection Regulation (GDPR): Effective May 25, 2018, the GDPR aims to protect and strengthen the privacy rights of EU individuals through stricter, more defined requirements for handling and processing personal data. Non-compliant controllers will see fines up to 20 million euros or 4% of annual turnover (whichever is greater). However, smaller companies and companies able to demonstrate that they are working with data protection in mind are likely to see reduced fines.
All organizations who provide goods or services to the EU or possess the personal data of an EU citizen are subject to the GDPR. If your hotel has personal data on any EU resident or citizen, regardless of your hotel’s location, the GDPR applies.
2. Personal Data: Any data relating to an individual, true or not, that could lead to the identification of an individual. This information includes but is not limited to:
Another aspect of Personal Data is Sensitive Personal Data. For example:
Racial or ethnic origin of the individual
Religious or philosophical beliefs
Trade union membership
Physical or mental health
Genetic and biometric data (including photos)
Moreover, Personally Identifiable Information (PII), which is similar to Personal Data, represents more specific information. Used in security and privacy laws, it includes some aspects of Personal Data such as name and phone number but also encompasses more explicit factors such as maiden name and social security number, for example.
3. Proof of Consent: In the GDPR, consent is the basis of processing personal data. Consent requires a positive opt-in. Silence, pre-checked boxes, or inactivity will not be accepted as consent. Individuals must be clear on why they will have to provide personal data and for what it will be used. It’s mandatory to keep evidence of how and when you request, obtain, and document consent.
Additionally, EU citizens have the right to withdraw consent at any time. Double opt-in, whereby an individual, upon signing up for email promotions, receives an email with a verification link, though not required, is another method of capturing Proof of Consent from individuals.
4. Right of Data Portability: EU citizens have the right to access and request a copy of their own personal data at any time. They can update, delete, restrict, or move their data to another organization without interference, under any circumstances.
5. Data Controller: The entity that determines the purpose and method of processing the personal data. In this case, the data controller is the hotel.
6. Data Processor: The entity that processes data on behalf of the data controller. Oftentimes, data processors are vendors and contractors for hotels. In this case, the data processor is Revinate.
7. Data Subprocessor: The entity that processes personal data on behalf of the processor in order for them to complete their work. An example is Return Path, helping hotel marketers with their email deliverability.
8. Right to Erasure: Also known as Right to Be Forgotten. Under the GDPR, individuals have the right to request a controller delete all of the information known about them and end further distribution of the data.
9. Right to Correction: Also known as Right to Rectification. Individuals have the right to demand correction of their personal data from a controller.
10. Right to Refuse Profiling: This gives EU citizens the right to avoid being targeted specifically based on their data. Profiling, as defined by the GDPR, requires an outcome or action of some sort as a result of personal data processing. Fortunately for hotels, they can exclude guests from marketing segments.
11. Data Protection by Design: Also known as Privacy by Design. Controllers must implement appropriate technical and organizational measures to ensure the continued integrity, confidentiality, and usability of their personal data processing systems and services. They must guarantee that only necessary personal data for each specific purpose is processed. Data protection measures must be implemented by design and by default.
12. Data Breaches: A breach in security that leads to the accidental or prohibited access to, destruction, misuse, or exposure of personal data. In the case of a personal data breach, the controller must notify the nominated EU authority within 72 hours of becoming aware.
What is the date that GDPR will begin to be enforced?
May 25, 2018
Does GDPR impact my organization?
GDPR applies to your organization, if you answer “yes” to any of the following questions:
Is your company an establishment in the European Union?
Does your company offer goods or services to the residents of the EU?
Is your company monitoring an EU individual’s behavior? Such as creating a marketing profile based on their user history or predicting their propensity to purchase based on their activity.
Businesses should plan to assess the impact of your company’s data processing practices and how that could potentially affect the brand perception of the company even if GDPR does not apply to your organization.
What is the reasoning behind initiating GDPR?
The GDPR aims primarily to give control over personal data back to individuals in the EU and to simplify the regulatory environment for international business by unifying the regulation within the EU.
Controller vs. Processor
A controller is the entity that determines the purposes, conditions and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of the controller.
Does my company need to appoint a Data Protection Officer?
DPOs must be appointed in the case of: (a) public authorities, (b) organizations that engage in large scale systematic monitoring, or (c) organizations that engage in large scale processing of sensitive personal data (Article 37). If your organization doesn’t fall into one of these categories, then you may still choose to appoint a DPO.
What is considered personal data?
Any information related to a natural person or ‘Data Subject’ that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.
What are the penalties for violating GDPR?
Organizations can be fined up to 4% of annual global turnover for breaching GDPR or €20 million. This is the maximum fine that can be imposed for the most serious infringements e.g. not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines, e.g., a company can be fined 2% for not having their records in order (Article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors -- meaning 'clouds' will not be exempt from GDPR enforcement.
Steps to being GDPR compliant:
Consult your legal counsel.
Review the law to become more familiar with GDPR.
Assess your organization’s data processing practices and outline the steps it will take for your organization to become GDPR compliant.
Develop a plan for handling consent for both new subscribers, as well as existing subscribers.
Develop a team of in-house GDPR experts.
Outline a plan, complete with timelines and ownership of activities. Be sure to include consent management.
Begin executing on the GDPR plan; be sure to document actions taken toward compliance.