Europe’s General Data Protection Regulation the (“GDPR”) has been in force for a little over four months, but it is important to remember that May 25th was just the beginning of a new chapter in data protection and privacy rights. In this blog, Preiskel & Co Partner Jose Saras answers questions and discusses what he’s learned from working with clients in the hospitality and tourism sector.
Why should hotels and other hospitality companies care about the GDPR? Isn’t the GDPR a technology law?
Much has been written about the implications for tech-heavy sectors such as telecoms, media and finance. But fundamentally, the GDPR aims to ensure adequate protections for an individual’s privacy – regardless of how the information is stored. It applies to paper files and CCTV footage, as well as fingerprint access cards and hotel loyalty or rewards programs.
Hotels will have thousands, if not hundreds of thousands, of unique guests or visitors each year. Additionally, hotels and other hospitality companies often employ large numbers of staff at any given time, and turnover rates within the industry can be high. This means hotels will have vast amounts of personal data at their disposal.
The GDPR has updated the definition of personal data. How does this impact the hospitality industry?
In contrast to the old data protection laws, the GDPR defines “personal data” as being any information that identifies or could potentially identify an individual – this goes far beyond someone’s name, date of birth, or address. In some circumstances, this can include information like usernames, location data, and ISP addresses.
The GDPR requires that all personal data is kept safe and secure. To meet these legal obligations, hotels need to review and consider a wide range of systems, internal policies and contracts with vendors as part of their GDPR compliance. In addition to staff contracts and guest forms, this could also include Wi-Fi policies, CCTV policies and signage, contracts about payment transactions… the list goes on. Personal data can be hiding in a variety of systems or documents… or hidden in any hotel cupboard where staff or guest forms are kept!
What about sensitive personal data?
Hotels must also be aware that they are often guardians of sensitive personal information from the guests or members of staff. When a guest checks in with reception, a hotel may ask for copies of ID, travel documents, or if the guest has any dietary requirements. This data could be sensitive personal data if it reveals race, religion or ethnicity. In such circumstances, particular rules about safeguarding that information will apply. Information relating to sexuality, biometric data, health or political beliefs are also considered sensitive personal data, so this could apply to information held about hotel staff as well.
Marketing and advertising is hugely important for the competitive hotel industry. What are some common misconceptions about what the GDPR says in respect of marketing?
Firstly, while it’s true that the GDPR has tightened the rules surrounding what companies can and cannot do with an individual’s personal data, it is a common misconception that consent is always needed. Consent is just one of several lawful justifications available under the GDPR: it is possible to rely on other lawful justifications.
Secondly, the GDPR is not the only law that applies to marketing! The Privacy and Electronic Communications Regulations (the “PECR”) sit alongside the GDPR and much of our work involves that legislation, too. The PECR regulates the sending of direct marketing communications to recipients by electronic means and has specific rules about it which are not covered by the GDPR. The misconception that the GDPR regulates direct marketing communication is perhaps why we’ve seen so many messages from businesses about “staying in touch” and “confirming consent” to receive marketing emails – and this is often the wrong approach.
If for whatever reason consent will be difficult or impractical for a controller to obtain, can hospitality business rely on a different lawful justification under the GDPR – for example, contractual obligation or legitimate interests?
Absolutely – but doing so requires a careful analysis. In deciding which lawful justification (known as a “lawful basis” under the GDPR) to rely upon, it’s always best to involve privacy lawyers and to consider each activity on a case by case basis. In any event, the justification for using someone’s personal data, whether it is based on consent or otherwise, must be clearly explained to the data subjects, including both hotel staff and guests. This is to ensure the controller processes the personal data fairly, lawfully and transparently.
It seems that individuals are becoming increasingly aware about their enhanced rights under the GDPR. The GDPR has been given considerable publicity and, has made exercising rights relating to data privacy much easier. What do businesses in the hospitality and sector need to consider when dealing with requests from individuals concerning data?
Indeed, there are now six potential data subject requests that a European resident, regardless of their citizenship, may make under the GDPR. This includes the right of access and the right to be forgotten. In addition, the GDPR has also introduced a strict regulatory timeframe for responding to individuals. Because of the volume of personal data and sensitive personal data they use, hotels and other hospitality business need to ensure that they have clear systems and procedures in place, so they can easily and efficiently handle these types of requests. If requests are handled inadequately, an individual is entitled to make a complaint to the Information Commissioner’s Office (the UK regulator), and a hotel’s reputation – and business – may suffer as a result. Some of our most complex GDPR work to date has involved data subject access requests.
How is Brexit going to impact GDPR compliance for Hotels and other hospitality business in the UK? If the UK leaves the European Union, does that mean we can forget about the GDPR?
The short answer is no! The UK European Union (Withdrawal) Act 2018 has a special provision which will make the GDPR part of our domestic legislation following our departure from the EU in March. Furthermore, the GDPR has extra-territorial effect, which means that it applies to companies wherever in the world they are located if they collect or use personal data belonging to European Union residents. This means that all hotels must comply with the privacy compliance standards established by the GDPR, even after Brexit.
Please contact Jose if you have any questions regarding the above.