The General Data Protection Regulation comes into force on 25 May, bringing with it a shake-up of privacy rules to make data processing fit for the 21st century. Andrew Don reports
The GDPR is the new regime that replaces the Data Protection Act 1998 in the UK. It is, in essence, the UK’s existing legislation on steroids. It covers the protection of identifiable individuals’ personal data, its processing and free movement.
The regulation updates data protection for a more sophisticated digital age, providing uniformity across the European Union (EU) and among those entities outside the EU that store or process the data of anyone in a member state.
The UK has already committed itself, Brexit or no. UK regulator the Information Commissioner’s Office expects the third reading of the UK’s new Data Protection Bill, which will incorporate GDPR provisions, to be passed next month if all goes to plan.
What’s it all about?
The GDPR applies to all personal data that can identify an individual.
Identifiers include name, identification number and location data, along with online giveaways such as an internet protocol (IP) address, to reflect changes in technology and the way organisations collect information about people. It also affects pseudonymised data that can be linked back to individuals.
Why you should care
The maximum penalty for breach is a €20m (£17.9m) fine or 4% of total global turnover for the previous year, whichever is the highest – far in excess of the current £500,000 maximum. In the case of a breach there is also the resultant damage to a business’s reputation to consider.
Philip Greaves, director of global consulting firm Protiviti, says hospitality companies might hold significant amounts of their customers’ personal data: credit card details, transaction information, food preferences and allergies, for example. It might be possible to use this information to identify religion or ethnicity through food preferences or even medical conditions.
“This type of information is considered a special category of personal data and requires a greater degree of care than regular data, such as names and addresses,” Greaves says.
Who it affects
The GDPR affects just about every operator in the hospitality sector. Employers who retain employee and contractor details must have a lawful basis for processing such data, such as a legal obligation or an enforceable contract. The new regime also applies to loyalty schemes, lists of contacts for marketing that include personal identifiers, registration forms for customers to fill in, and data collected by websites (digital cookies).
The new regime also affects the security of that data: a single-branch coffee shop that processes individuals’ data would need to secure its systems just as an international hotel chain would, albeit it is likely to be less complicated and expensive to do so.
The GDPR is all about the size of the risk posed, not about the size of the organisation.
Does your business use the cloud and other third parties that handle client, contractor or staff data? If so, the onus is on you to check they are GDPR-compliant. Your customer data could be sitting on a server in an unsecured office in Outer Mongolia. You need to find out.
Charlotte Ebutt, solicitor in Royds Withy King’s technology and media team, says the specific principle of accountability is key. “It is no longer the case of just doing the right thing. Under GDPR, you will need to be able to prove it and demonstrate compliance,” she says.
The GDPR aims to give individuals greater control over their personal data, including the right to request it is edited, restricted or even erased (the right to be forgotten).
Paula Tighe, director of information governance at legal firm Wright Hassall, says the issue of consent for personal data to be captured and used for more than just contact is a tricky area. “Individuals must give clear consent for their data to be used, but must be allowed to revoke consent easily at any time,” she says. “If you change the way you want to use the data, you must obtain a new consent.”
Consent must be explicit for every use of the data.
Members association Hospitality Financial and Technology Professionals (HFTP), presided over by chief operating officer Carl Weldon, set up a team last March to manage a hospitality programme for the 2018 GDPR compliance deadline.
Its aim was to put together a taskforce of experts comprising hospitality industry leaders to help prepare for the changes. The taskforce members included Stephen Carter, general manager at Old Course Hotel, Golf Resort & Spa, in St Andrews; Benny Nur, technical services director at Interstate Europe Hotels & Resorts; and Tara O’Neill, managing director for Avoca.
Alvaro Hidalgo, chairman of HFTP’s GDPR taskforce, says the challenges include how to:
• obtain specific and informed consent while avoiding overwhelming customers with long forms and excessive questions
• comply with the GDPR requirements of “purpose, accessibility, availability and security” of personal data
• identify, locate, modify and delete personal data from operators’ systems
• establish the extent of customers’ consent in multi-department organisations and where third parties handle data, including systems/software vendors, marketing and loyalty programmes
• assess the GDPR impact in franchise agreements and other contracts
• identify who has responsibility for the management of personal data, including within organisations that have franchises
• review the impact on multinational companies operating within and outside the EU
• vet third parties’ processes to ensure they comply
• appoint a data protection officer, whether that is within the organisation itself or an outsourced role.
Do you need a data protection officer?
Does every organisation, regardless of size, need a data protection officer (DPO)?
An organisation must appoint a DPO if it performs large-scale monitoring of individuals (for example, online behaviour tracking), or if it carries out large-scale processing of special categories of data (such as race, ethnic origin, religion, trade union membership or sexual orientation – and express permission must have been given to collect the last item) or data relating to criminal convictions and offences.
An organisation must have sufficient staff and skills to discharge its obligations under the GDPR, regardless of whether the GDPR obliges it to appoint a DPO.
What is the DPO’s function?
The DPO’s minimum tasks are to:
• inform organisations and employees of their obligations to comply with the GDPR
• monitor GDPR compliance (including managing internal data protection activities), advise on data protection impact assessments, train staff and conduct internal audits
• be the first point of contact for supervisory authorities and for individuals.
Do the DPOs need specific qualifications?
No, but they should have professional experience of data protection law. This should be proportionate to the type of processing an organisation carries out and the level of protection the personal data requires. The DPO reports to the top management level – the board.
The DPO must operate independently and not be penalised for performing their role. Adequate resources must be provided so they can do their job.
Can the DPO role be outsourced?
The role can be allocated to an existing employee if the work is compatible with their existing duties and does not lead to conflict of interest. The role can also be contracted out.
Does the GDPR affect B2B marketing or is it just B2C marketing?
It affects B2B if personal data is processed. Direct marketing is currently covered by the Privacy and Electronic Communication Regulations (PECR). PECR is likely to be replaced by a new e-privacy directive by 2019.
The e-privacy regulation should further explain compliance with the GDPR for this type of communication.
If a business is franchised, who is responsible for the data – the franchisee, the franchisor, or both?
This would depend on the precise nature of the relationship between the parties and the data processing carried out.
Consent for processing employee data
You do not always need legal consent for processing employee data, although consent is one lawful basis for doing so. There are five others – contract, legal obligation, vital and legitimate interests, special category data and criminal offence data.
A key priority for hospitality businesses is to ensure that public-facing privacy notices or policies are featured on their websites. Any queries or email campaigns in place should cross-reference back to the website to ensure that the consumer can easily understand the policy of the business.
The GDPR makes clear that online identifiers, such as website cookies or IP addresses, are defined as personal data. As a result, they will be subject to the broad set of controls implemented under the GDPR, including their security, right to be deleted and legal basis for processing.
You will have noticed that cookie notices are popping up on many websites. Many of these have been put in place in advance of the GDPR deadline to obtain and manage consent from individuals over their use. There is also new EU e-privacy legislation coming out in May that will further address the specific uses of browser cookies, among other things.
Philip Greaves, director, Protiviti
How to ensure you are prepared
Robert Lands, commercial partner at legal firm Howard Kennedy, says it is likely that smaller companies will have put off their GDPR reviews in anticipation of further guidance from the authorities on ambiguities.
He warns that there is no grace period, which the Information Commissioner’s Office confirms, and the GDPR will be enforced from day one. The following is not an exhaustive list but a starting point.
• Contact vendors who process or store personal data for you: HFTP has a letter template on its site.
• Small businesses can contact a dedicated advice line on 0303 123 1113 (option 4).
The Information Commissioner’s Office recommends taking the following actions:
• Ensure key people are aware the law is changing and appreciate the impact it is likely to have.
• Document what personal data you hold, where it came from and who you share it with. You may need to do an information audit.
• Review your privacy notices and plan how to make the necessary changes in time for 25 May.
• Check procedures to ensure they cover all individuals’ rights, including how you would delete data or provide data electronically and in a commonly used format.
• Update procedures and plan how you will handle requests within new timescales and provide any extra information.
• Identify the lawful basis for your processing activity under the GDPR, document it and update your privacy notice to explain it.
• Review how you seek, record and manage consent and whether or not you will need to make changes. Refresh existing consents now if they do not meet the GDPR standard.
• Start thinking about whether you need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing.
• Ensure you have the right procedures to detect, report and investigate a personal data breach.
• Familiarise yourself with the ICO’s code of practice on privacy impact assessments and the latest guidance from the Article 29 Working Party, and work out how and when to implement them.
• Designate someone to take responsibility for data protection and assess where this role will sit within your business. Consider whether you are required to designate a data protection officer.
• Determine your lead data protection supervisory authority if your business operates in more than one EU member state.