The European Union’s (EU) “General Data Protection Regulation” (GDPR), which went into effect on May 25, 2018, requires businesses to carefully manage/prevent misuse of their customer data. The GDPR places stringent requirements on how businesses interact with their customers and further requires them to be extremely sensitive to their customers’ privacy rights. Notably, the GDPR implicates businesses that are based solely in the U.S. as well: regardless of where your business may be headquartered, if your clientele is EU-based, then GDPR compliance is triggered. For our purposes, the GDPR applies to all travel agencies, tour operators, hotels, motels, inns, clubs, bed-and-breakfasts, Airbnbs, car rental agencies, restaurants, aggregators, and other travel and hospitality groups that operate in Europe or outside of the EU and actively maintain data on EU residents. For hospitality businesses, this data can be encompassed within a membership, client/prospective client database, etc.
The GDPR’s basic goals are as follows: if the business has a legitimate reason to collect, process, or transfer an EU resident/customer’s “personally identifiable information” (PPI), or information that could be used to identify or single out an individual, then these customers must be notified in clear, unambiguous terms. Further, businesses must inform their EU resident/customers as to everyone that is using their PPI and why; and if the customer instructs them to stop – they must stop! Finally, if the EU resident/customer requests to access, correct, delete, or transfer their PPI, businesses are required to assist with their request.
Significantly, noncompliance with the GDRP can result in tremendous fines (reaching $20 million or four percent of the business’s worldwide revenues for the preceding year, whichever is higher), operational setbacks, and reputational damage. Consequentially, hospitality businesses must be prepared to address GDPR requirements through their policies, procedures, and technology if their business maintains PPI on and markets their services to EU residents.
Background of the GDPR
Prior to the adoption of the GDPR, the EU regulated data privacy pursuant to Directive 95/46/EC. Directives are EU legislation requiring the member states to meet a certain goal, while allowing each member state to implement their own laws in order to the meet that goal. The Directive resulted in twenty-eight different data-protection laws throughout the EU. In order to harmonize these various laws, and respond to technological advances while offering greater privacy rights and protections to EU residents, the GDPR came into being. Although many aspects of the Directive continue on through the GDPR, there are key distinctions that will impact U.S. businesses, including those within the hospitality industry. The extent of the GDPR’s impact is dictated by how the business is defined: is it considered a data controller or processor (or both)?
Controller vs. Processor
As a preliminary matter, it is important to note that businesses can weave in and out of the controller/processor roles, and how they categorize themselves is irrelevant for compliance purposes. Fortunately, the GDPR provides some guidance to aid in the assessment as to how businesses are defined under the Regulation for compliance purposes. Simply stated, controllers control: Article 4 of the GDPR defines a “controller” as “the natural or legal person…which, alone or jointly with others, determine the purposes and means of the processing of personal data.” In other words, controllers determine why and how consumers’ PPI is used, and even though they do not necessarily store or process the PPI, they are still responsible for the maintenance thereof. For example, a hotel that collects the preferences and contact information from its guests is considered a controller regardless of whether it stores the PPI on its own or through an external vendor.
Article 4 of the GDPR further defines a “processor” as “a natural or legal person…which processes personal data on behalf of the controller.” So, processors are advised by controllers as to how to store, manage, or otherwise manipulate the PPI (which is oftentimes stored on a third-party server) and have no right to determine the purpose for which the PPI will be used. Examples of processors within the hospitality industry may include the following: external payroll processors; market research firms; affinity programs that sell to member bases, such as hotel rewards programs; and aggregators that market their own and others’ products and services to the consumer (such as Expedia, Kayak, Travelocity, etc.).
The GDPR provides additional guidance as to businesses’ obligations and responsibilities under the Regulation. Controllers have various obligations under the GDPR. Controllers have to be able to justify processing PPI for that processing to be lawful, and they have to provide proper notification to their customers at the time of data collection. Generally, a controller must process PPI in accordance with one of the legal grounds set forth in Article 6 of the GDPR, which includes: the EU resident has given consent; it is necessary for performance of a contract or compliance with a legal obligation; it is necessary for protecting the EU resident’s “vital interests”; it is being carried out in the public interest or in the exercise of official authority; or it is necessary for “the legitimate interests pursued by the controller or a third party except where those interests are overridden by the interests or fundamental rights and freedoms of the [EU resident].” The GDPR requires controllers to maintain records regarding the PPI that the business controls or processes, including why they are controlling/processing it, where it goes, how long it is kept, what third parties do with the PPI, etc.
Furthermore, at the time that their EU resident/customer’s data is collected, controllers must notify the customer of the following: the identity of the data controller; the purpose and legal basis for processing the data; the recipients of the data; and whether the data is intended to be transferred out of the country, and if so, provide information on the security of the data in transit; the storage period; their rights to access, rectify, erase, transfer, or restrict the processing of personal data; the rights to withdraw consent and complain to supervisory authorities; and whether the information provided will form part of a profile.
As for processors, one of their key obligations under the GDPR includes their duty to notify the controller of a breach and to implement appropriate security measures. As a threshold matter, the GDPR broadly defines “personal data breach” as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.” Article 33 of the GDPR further requires processors to “notify the controller without undue delay after becoming aware of a personal data breach.” In all likelihood, the processor’s obligations do not end there: their contractual obligations will likely require them to provide the controller with information regarding the breach so that they may assist the controller in satisfying its GDPR compliance obligations. With respect to implementing appropriate security measures (which is really to be performed in conjunction with the controller’s oversight), the GDPR provides some flexibility and allows processors to consider the state of the art, costs of implementation, nature, scope, context, and purposes of processing, as well as any potential risks.
Taking Steps towards GDPR Compliance
Hospitality businesses should consult with counsel who has dealt with GDPR compliance and work with them to identify the various departments within the business that utilize customers’ PPI, including IT, marketing, human resources, etc. From there, interviews must be conducted of key personnel within those departments to ascertain what PPI is collected/why, how are the customers notified, who has access to the PPI, where does the PPI go/how is it stored, how long is it stored, is it deleted, etc. All of this information must be documented, and these records must be maintained and consistently updated (particularly since a GDPR authority may request them at any time). Once this information is compiled and assessed, hospitality businesses should have some insight as to areas of high risk; these areas need to be prioritized for compliance. Then, counsel, in conjunction with a technology specialist, particularly one who is well-versed in IT-risk advisory, cyber security, digital forensics, and technology-systems design, can assist the business in implementing company-wide policies, procedures, technological programs, and security, and in providing education and training to their staff. Additionally, counsel should be prepared to assist the hospitality business in drafting the requisite notice to provide to their EU customers, which will need to advise them of their various above-referenced rights under the GDPR, e.g. their rights to consent/withdraw consent, to delete their PPI, etc., and include a specifically-delineated checklist with “opt-in” boxes where their consent is explicitly required. Notably, consent must be clear, unambiguous, easily accessible, and require the customer to take affirmative action to agree to each item, i.e. there can be no “agree to all” boxes. It is important to note that GDPR authorities can easily access such notices: they could serve as their first “tip” that a business is not in compliance with the Regulation; therefore, it is imperative for these notices to be properly prepared by an experienced attorney.
Total GDPR compliance may take time for some hospitality businesses depending on finances, labor, resources, etc., but prioritizing areas of high risk is a great place to start. The GDPR is here to stay, and it may ultimately become the global standard for data-privacy jurisprudence and lead to the implementation of similar privacy laws throughout the world, including the U.S. Indeed, the California Consumer Privacy Act (CCPA), which was adopted on June 28, 2018, establishes one of the most comprehensive data-privacy regulations in the U.S. to date. The CCPA regulates companies “doing business” in California, and is considered by some to be the U.S. counterpart to the GDPR. Of course, it seems inevitable that other states may also implement their own data-protection laws in the future. In any event, in light of the technology-driven world we live in today, data-protection laws appear to be catching fire. Accordingly, it is vital for hospitality businesses to take the necessary steps towards compliance, including, but not limited to, retention of legal counsel that understands the needs of the company and GDPR requirements, so that hospitality businesses can move forward with a well-considered, comprehensive compliance strategy.
For questions about this topic, please e-mail: KDHospitalityRetailPracticeGroup@kubickidraper.com.