INTERNATIONAL REPORT—On May 25, the General Data Protection Regulation (GDPR) that the European Parliament agreed upon in 2016 will replace existing data protection directives. And while the new regulations will have more of an effect on businesses across the pond, U.S.-based companies that market goods and services to those in the European Union (EU) will have to make sure they’re in compliance. But is the hospitality industry ready?
“We’ve gotten a lot of calls about compliance and how to prepare, but I’m sure there’s no shortage of people who will be caught by surprise by this May 25th date,” said Kristen Johns, a partner at the intellectual property practice group at Waller.
“Overall, my sense is that companies have been working on this,” said Richard Sheinis, partner at Hall Booth Smith P.C. “But there is still some uncertainty, especially in the United States, with regard to whether or not the GDPR applies to a particular hotel or not, if the hotel or hotel company doesn’t have a physical presence or actual hotel in the EU.”
“I believe there is a great fear amongst U.S. hotels,” said Finn Schulz, principal, Schulz Consulting. “They have heard about GDPR and most likely do not fully understand the scope and impact, but they have the potential penalties in mind. In my opinion, it’s not really relevant unless they run a website targeting European business or staff.”
EU-based hotels, on the other hand, are less fearful. “They’re not necessarily better prepared just now, but starting to speed up,” he said. “They are, however, in the EU and, therefore, fully in scope for the regulation and need to ensure compliance.”
Simply put, the GDPR aims to create a set of standards to safeguard personal data for those in the EU. Some key requirements include obtaining the consent of subjects for data processing; anonymizing collected data to protect privacy; providing data breach notifications; safely handling the transfer of data across borders; and for certain companies to appoint a data protection officer to oversee GDPR compliance, among others.
“It’s designed to be disruptive,” said John Barchie, senior fellow at Arrakis Consulting, a security firm that specializes in GDPR compliance. “The good news is it’s not targeted toward the hotel industry. It’s targeted toward social networks.” Of course, he noted, that doesn’t mean hotel companies are off the hook if data is mishandled.
What the GDPR effectively does, he said, is change the onus of privacy from the individual to the business owner. “You are responsible, not them, so if you ask them for information, you better really need it because you’ve just made yourself liable to the loss of that information,” he said.
Schulz added that hotels need to understand that the regulation doesn’t mention EU citizens—it applies to all people located in the EU. “It is important to understand that the GDPR is applicable to all citizens as long as they are in the EU or the data controller or the data processor is in the Union,” he said. “Therefore, there’s no risk of a U.S.-based hotel getting into trouble by an EU citizen walking into the lobby.”
For U.S.-based businesses, Sheinis said, “It comes down to this: Is it offering its goods and services in the EU? That’s the lynchpin that brings U.S.-based entities under the GDPR.”
However, he said, that doesn’t mean the mom-and-pop independent bookstore in Ohio that sells one book via the internet to someone in the EU needs to worry about compliance. “The only guidance that the EU Commission gives is they say if you’re trying to figure out if a company is offering goods and services in the EU, just being on the internet doesn’t qualify as offering, because that means everyone on the internet would be subject,” Sheinis said.
“I think it is important to think about business processes and not look at a hotel as a whole,” Schulz added. “A hotel outside of the EU is out of scope for GDPR, but if they run a central reservation service (voice) or a website targeting EU travelers, that transaction is in scope; however, not the check-in, stay or checkout at the hotel,” he said, adding that these services are typically brand services, which puts the compliance responsibility on the brand, if a hotel has one.
So how can companies figure out if they need to comply? “Look at your website, and how you advertise. What are you doing to either draw in or not draw in business from the EU member states?” Sheinis said. The languages the website can be viewed in and whether or not rates are offered in euros can both be indicators that a hotel markets to those in the EU.
“What percentage of your guests are from the EU?” Sheinis asked. “That doesn’t decide the issue, but it can be instructive. If the answer is 1%, then it’s much more likely you’re not offering goods and services to people in the EU. If it’s 40% are from the EU, it would be hard to say you’re not offering goods and services in the EU.”
Advertising is another key area. “I’ll look at vendor contracts and advertising and see how they’re doing things and whether that can be construed as offering goods and services in the EU,” Sheinis said. “Then I’ll look at how they do data processing—if they’re processing data or if they have a vendor who does certain analytics on their guest data. Where is that data being processed? If it’s in the EU, that’s also going to bring up an issue. I’ll create a data flow map to trace data, where it’s going from and going to.”
As for what companies that need to comply should do, Barchie noted, “The two things GDPR really emphasizes is data minimization—making sure the amount of information you’re requesting is the minimal amount you need to provide the service—and anonymizing the data so no one can look at a record and determine that it’s you.”
For her part, Johns said, “Entities need to be aware of and be able to show data intake; what happens once they receive data; and the workflow, if any, once data is in their possession. Having that data map is going to be important for compliance and making sure they have the proper consents and notices in place in connection with the use of that data.”
“In reality, it is not so big a job, providing the hotel complied with the EU Directive on Privacy from 1994/1995,” Schulz said about EU hotels, reiterating that U.S.-based companies only have to comply as it relates to specific interactions with those located in the EU. However, he added that U.S.-based hotels would find value in similar steps. “Such hotels will benefit if they implement similar procedures and communicate to the market that they take it seriously and only collect what is needed, and protect your information as well as under the governance of the GDPR.”
There’s a wide range of penalties for GDPR non-compliance, the steepest of which is up to €20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher. “Those monetary penalties are really what makes people’s eyebrows raise and gets their attention,” said Johns, noting that the data breach notification period is also an area of concern.
But Sheinis noted that companies that are putting in a good-faith effort shouldn’t be too concerned about fines. “GDPR provides for guidance that can be simply a letter that says you’re not doing it right, and this is what you need to do to comply,” he said. “On May 26, anyone not in compliance is not going to turn into a pumpkin and be fined 4% of gross revenue. It won’t happen that way. And there is some guidance that if there is an infraction, the supervisory authority is supposed to look at things such as: Is this a first time or has it happened before? How serious is it? How many people does it potentially affect?”
Barchie added, “Most companies that have started thinking about GDPR won’t be fully compliant by the due date, and they’re going to have to concentrate on having the appearance of being willing to comply.”
So for EU-based hotels and U.S. hotels that engage in activities that are subject to GDPR that aren’t fully compliant yet, there’s still time to fix that. “Even if you can’t make the May 25 date, a lot of the regulations are still evolving, especially in connection with specific member states that might have unique regulations and ways they’ll implement and enforce the GDPR,” Johns said. “Even if you’re not in 100% compliance, it’ll be important to show you tried.” HB