The importance of May 25, 2018. If you are reading this, you have probably been inundated with emails from companies announcing that they have adopted new and better privacy and security policies and procedures. This isn’t a coincidence – as of May 25, 2018, the EU’s General Data Privacy Regulation (GDPR), requires every organization that does business in the EU, or that collects information from EU citizens, to guarantee the privacy and accuracy of personal information. While the purpose of the GDPR is to strengthen and unify data protection for all individuals within the EU, its effect is worldwide; every organization that does business in the European Union or collects personal information from individuals in the European Union is subject to this regulation.

The GDPR is a watershed event that will impact every business that collects personal information, wherever located, and no industry will be more impacted that the hospitality industry. Other companies can choose not to do business with EU citizens; some companies have determined that it is impossible to comply and have actually closed. That is not an option for hotels. Hotel companies need to understand the goals and requirements of the GDPR. The nature of hotels and the various data holding sources such as OTA bookings and PMS systems escalate the regulation for travel and hospitality industries.

Severe consequences for non-compliance. The consequences for non-compliance can be extreme: The maximum fine that can be imposed for serious infringements of GDPR is the greater of €20 million or four percent of an undertaking’s worldwide turnover for the preceding financial year. While no one knows yet how aggressive European regulators will enforce GDPR, and in particular how they will apply it to firms based outside the EU, there are already public interest groups that are targeting multinational companies, and it seems likely that there will be some fallout.

What you need to know. Complying with GDPR is not easy. The GDPR is based on general principles, which allow leeway – and confusion – for companies. The rules of the road are likely to become clearer as the regulation is implemented, but for now, each company must make hard decisions. The GDPR requires that an organization both comply with its principles and document compliance. It is more than just adopting a new privacy policy; it requires concrete actions, and recording those actions.

While the entire process of compliance is extensive and a continuing effort, firms should take on 5 concrete steps to get on the road to compliance:

  1. Map your Data. It is impossible to protect data if you don’t know what or where it is. Many companies collect data indiscriminately and keep it indefinitely; both of these are the exact opposite of what is required under the GDPR. A company must know what information it collects, where it stored, how it is used, and who has access to it in order to begin to comply. Importantly, companies must look not only at the data they collect directly; they need to consider data they obtain from others. For example, a hotel company will be responsible not only for personal data in reservations made directly with the hotel, but also for data from OTAs and other sources.
  2. Appoint a Data Privacy Officer. Privacy and security demands attention from every level of an organization, but the GDPR emphasizes the need for a single individual or office to be responsible for evaluating security and compliance. Companies need to identify someone who is knowledgeable in the law and regulation of data security, as well as the firm’s individual business practices.
  3. Review vendor agreements. Firms are responsible for anyone who uses the data they collect or obtain. This includes not only employees and others working directly for a firm, but also the companies we engage to perform services for us. Hotels use a bewildering array of vendors to provide services, ranging from credit card processing to marketing to personnel management – each of these entities need to comply in order for you to comply.
  4. Update Existing Policies. It is likely that your existing privacy and security policies, both internal and external, need to be updated to reflect the requirements of the GDPR. Companies need to remember that the GDPR requires that companies provide actual privacy and security, and also prove that they do through applicable documentation. The policies have to be consistent with practice.
  5. Engage Experienced Counsel. Companies cannot achieve compliance with GDPR without engaging counsel that are experienced in data security and can guide companies through the differences between US and EU regulation.