For Europeans who travel abroad, the United States remains a popular destination, which is great news for domestic hotel and resort owners. But bookings from the European Union, while good for business, may soon create real headaches for hoteliers in the U.S in the form of the General Data Protection Regulation (GDPR).
The EU adopted the GDPR in 2016, establishing the rights of EU residents with regard to how their personal data is collected, processed, shared and retained. In response, consumer-facing companies around the world, including those in the hospitality space, are struggling to understand how the GDPR will affect business operations and the extent of their compliance obligations. As the 25 May 2018 deadline for compliance is fast approaching, the following answers to some frequently asked questions about GDPR should prove helpful.
My company has no properties located in the EU. Do I even have to be concerned about the GDPR?
Yes. The GDPR applies to all cases where any one of the following are based in or operate from the EU: 1) the data controller (the company that collects EU resident data); 2) the processor (the company that processes data for the data controller, such as a website host); or 3) the data subject (the EU resident). There is no minimum threshold for compliance. If an organization collects data from a single EU resident, it needs to treat that data in compliance with the GDPR.
In more basic terms, if an EU resident stays at a hotel or resort located outside the EU (say, in Florida), that property is likely collecting information that pertains to that guest, and that data must be GDPR compliant.
But I don’t collect “personally identifiable information (PII),” just a name, email address and IP address. Do I still have to comply?
Again, the answer is yes. The GDPR focuses on “personal data,” which is different from and much broader than PII.
Can I just get my EU customers to waive GDPR compliance?
No. GDPR rights cannot be waived, though one way to collect, process or use a subject’s personal data is by obtaining her consent.
Something else to consider: The GDPR creates a “fundamental right” for EU residents to control how their data is collected, processed or retained. This is not an “absolute right” in the sense that businesses have some right to collect or retain personal data if they obtain prior consent, require the information to fulfill a contract with the data subject or need the information to comply with a legal obligation (such as a tax or regulatory reporting obligation).
So if I include a provision on my website privacy policy (there’s a link to it on the bottom of my website that no one except my lawyers seems to know about), implying consent if they continue using the website, is that sufficient?
No. Data subjects must take some affirmative action to indicate their consent after you have fully informed them why you are collecting their data, how you will use it, who you will share it with and how long you will keep it. This can be in the form of an unchecked consent box (note: you cannot pre-check it for them) or a text field where they can “digitally sign” or enter the words “I consent.” All consent must be verifiable, so it is important to maintain records (date, time, IP address, etc.) and keep in mind that consent can be withdrawn.
What if I decide to accept the risk of non-compliance and “roll the dice” they don’t target me for an enforcement action? What’s the potential penalty?
GDPR sanctions are severe. You may be given a written warning for first or non-intentional cases of non-compliance, but you can also be fined the greater of €20,000,000 ($24,805.56) or 4% of your annual worldwide turnover, depending on the type and severity of the violation.
OK, it sounds like my company has to comply. Where do I start?
There are several steps you can (and should) take right away to move toward GDPR compliance, including data mapping (identifying where and what type of data is stored within your organization); segmentation (segregating EU data from other data subjects); consent (reviewing the processes in place for obtaining and recording users’ consent); documentation and training (training employees on the GDPR-related mandates and distributing written internal policies to demonstrate your commitment to compliance); and accountability (appointing an individual within in your organization whose responsibilities include monitoring data governance and privacy).
Of course, seeking experienced counsel is always recommended. Remember, time is of the essence—the deadline for GDPR compliance is 25 May 2018.
Dana A. Kravetz, the managing partner of Michelman & Robinson, LLP (M&R) and leader of the firm's Hospitality Group, focuses his practice on counseling and litigating on behalf of hotel and resort management. Mr. Kravetz can be contacted at 310-299-5500 or dkravetz@mrllp.com.
Scott Lyon is also a partner at M&R. He helps clients evaluate and implement effective information security practices. Likewise, he provides advice on best practices in the event of data breaches. Mr. Lyon can be contacted at 714-557-7990 or slyon@mrllp.com. Please visit http://www.mrllp.com for more information.
The opinions expressed in this column do not necessarily reflect the opinions of Hotel News Now or its parent company, STR and its affiliated companies. Columnists published on this site are given the freedom to express views that may be controversial, but our goal is to provoke thought and constructive discussion within our reader community. Please feel free to comment or contact an editor with any questions or concerns.