The General Data Protection Regulation (GDPR) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). It also addresses the export of personal data outside the EU.
The GDPR aims primarily to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
GDPR requires businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states. When the GDPR takes effect in May 2018, it will replace the data protection directive (officially Directive 95/46/EC) of 1995.
The regulation was adopted on April 27, 2016 and becomes enforceable from May 25, 2018, after a two-year transition period and, unlike a directive, it does not require national governments to pass any enabling legislation, and is thus directly binding and applicable.
Non-compliance could cost companies dearly.
Here’s what companies doing business in the EU need to know about GDPR.
In summary what does this mean for my business?
Companies must provide a “reasonable” level of protection for personal information about EU citizens in EU states even if you do not have a business presence in the EU.
Examples of personal information are name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, cookie data, race or ethnicity, political opinions, biometric data, or a computer’s IP address for geo-targeting.
Which companies does the GDPR affect?
Companies that store or process personal data about EU citizens within the EU must comply with the regulation, even if they do not have a business presence within the EU.
Criteria for companies required to comply are:
- A presence in an EU country
- No presence in the EU, but it processes personal data of European residents
- More than 250 employees
- Fewer than 250 employees but its data-processing impacts the rights and freedoms of data subjects, is not occasional, or includes certain types of sensitive personal data.
So, pretty much any company.
A PwC study showed that 92% of U.S. companies consider GDPR a top priority in 2018.
When does the GDPR take effect?
May 25, 2018
Companies must be able to show compliance by May 25, 2018.
Organizations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million, whichever is higher.
What does this mean for hotels?
Currently, rules around collecting guest data are flexible, but that is all about to change.
Explicit consent means that hotels must explain to the customer what data they are collecting, why they are capturing that data, and who specifically is requesting that data or who else will have access to this data.
Whether your hotel is located in the EU or somewhere else, you will be required to comply with GDPR regulations. If you target guests from the EU, you will require personal information from them, therefore requiring your organization to comply.
How does this affect my hotel marketing efforts?
From a marketing perspective, this regulation makes things even more complicated.
When you collect contact information from an EU resident, you must expressly state what their data will be used for. After that point, you will never be able to use their information in any other way except for how you have clearly stated to the customer previously.
For example, an EU resident signs up to receive your hotel’s monthly newsletter.
In the past, it may have been relatively simple for hotel marketers to use that email over and over again for other marketing campaigns and initiatives aside from the newsletter.
After May 25, with the GDPR in affect, hotel marketers will then be required to ask express permission for the use of those emails for any marketing initiative aside from the newsletter, and so on.
Who within my company will be responsible for compliance?
The GDPR defines a few roles that are responsible for ensuring compliance. Mainly, your Data Controller, Data Processor and the Data Protection Officer (DPO) will be responsible for compliance across your organization.
The data controller defines how personal data is processed and the purposes for which it is processed. The controller is also responsible for making sure that outside contractors comply.
What should my company be doing to prepare for the GDPR?
Set a sense of urgency that comes from top management. Cyber preparedness must be of top priority of top executives in order for organizations to be successful. Compliance with global data hygiene standards is part of that preparedness.
- Consent to use a person’s information must be clearly explained and there must be a positive opt-in. A pre-ticked opt-in box is not a valid consent.
- At the time of data collection, a privacy notice should be presented.
- Collected personal information must be relevant and limited to what is necessary.
- Do not keep personal information any longer than necessary.
- Have a data protection policy and data breach response plan in place that meets the requirements of the GDPR.
- Seek expert advice or legal counsel as needed.
Vizergy has measures in place which meet the principles of data protection and design by default. Additionally, we are in the process of verifying that our vendors and partners are in compliance with the GDPR.
What if my business receives a request from an EU citizen related to their rights under the GDPR?
Please speak with your Vizergy account management team or contact us at 1-800-201-1949 to speak with a specialist. You should also engage your data protection team or Data Protection Officer (DPO) and if in doubt seek legal counsel for additional guidance.
The right of access and data portability, the right to erasure, the right to object or the right to rectification.
We will work with you to provide a copy of any personal data (using secure transfer), erase any personal data, cease processing any personal data and/or rectify any incorrect personal data for the citizen that we have collected through a Vizergy marketing service.
Concerned about your company’s readiness for GDPR? Call Vizergy to speak with one of our data security experts and learn how Vizergy can help you be ready for the looming change. Call 1.800.201.1949 or email your Account Manager, today.