GDPR—four letters of the alphabet that are proving to represent one of the biggest challenges facing businesses in 2018. The General Data Protection Regulation (GDPR) comes into effect on May 25 across the European Union and impacts any organization that operates within the EU and processes the data of EU citizens wherever they may be in the world. How organizations hold, store, and process personal data will now be subject to higher and more consistent scrutiny—with the potential of a significant penalty for non-compliance.
AETHOS Consulting Group’s London Managing Director Chris Mumford emphasizes that much attention is already given to how customer data is handled under GDPR, especially in the hospitality sector where hotels process a high volume of personal information and payment data.
“GDPR not only impacts how a business interacts with its external customers but also how it manages data internally with regard to its employees,” Mumford explains. “In an industry such as hospitality where the labor force is so often highly diverse and comprised of multiple nationalities, most organizations will be affected by GDPR.”
Adele Martins, partner and head of the Employment Department at law firm Magrath Sheldrick LLP, clarified that GDPR is considerably stricter in its requirements than the U.K.’s Data Protection Act (DPA). Mumford and Martins highlight a number of key features hospitality employers should consider as they address compliance with the new regulations:
What qualifies as ‘sensitive data’? People will regard information about their health or their sexual orientation as more confidential. Technically Sensitive Personal Data or Special Categories of Data include information about a person’s race or ethnic origin, their health or sex life, their sexual orientation, political opinions, religious/philosophical beliefs, trade union membership, and genetic and biometric data.
How is employee consent defined and best obtained? The GDPR makes it clear that consent must be freely given, specific, informed, and unambiguous. It can no longer be implied from silence, pre-ticked boxes, or inactivity.
Where does GDPR compliance lie in regards to businesses which have external suppliers that are exposed to personal employee information (i.e. payroll providers)? The answer is—with all parties. The advice to controllers is to have appropriate agreements in place with providers to ensure that those providers or processors are contractually obligated to process data appropriately.
Would a hotel in New York which employs a French national in the kitchen be subject to GDPR? A hotel in New York employing a French national is processing the personal data of an EU national but that EU national is not within the EU. Does that mean they are off the hook? No. The EU national is still likely to be protected by the GDPR—not least because they are bound to return to the EU at some point and the processing will not stop when they do.
What are the sanctions for failing to comply? The maximum sanction under the GDPR is a whopping 20 million Euros or, in the case of a corporate undertaking, 4 percent of global annual turnover—so potentially much higher than the maximum 20 million Euro figure.
Mumford and Martins urge hospitality employers to immediately manage three critical steps to prepare for the GDPR compliance deadline: dedicate data protection personnel internally and at a senior level; appropriate security measures to ensure that personal data is properly stored, securely processed, and retained only for as long as necessary; clarify Privacy Notices to ensure that the individuals in question understand what data they are providing.