The European Union will enforce the General Data Protection Regulation (GDPR) from May 25, 2018. Finn Schulz, Principal, Schulz Consulting, and an active consultant member of Hospitality Technology Next Generation (HTNG), shares insights on regulation for the travel industry in the Middle East.
The purpose of the General Data Protection Regulation (GDPR) is to provide a standard set of data protection laws across all member countries for EU citizens to clearly understand how their data is being used. The GDPR builds upon the 1995 Data Protection Directive 95/46/EC, which governed the processing of personal data, and refreshes the legislation to suit the modern day. Failure to comply with the GDPR can cost organisations up to 4 per cent of annual global turnover or €20 million in fines.
Speaking at the HTNG Middle East Conference 2018, held at the Jumeirah Mina A’Salam from January 23-24, Finn Schulz, Principal, Schulz Consulting, explains that one of three subjects need to be in the EU in order for a company to abide by the GDPR–the data subject, the data controller or the data processor. The data subject is the individual whose personal data is being pulled (name, IP address, etc.). The data controller is the body determining the purpose for the information. Finally, the data processor pulls and stores the actual data. It’s important to note an outsourced data processor is now subject to direct scrutiny by the EU Data Protection Agencies, where in the past the data controller was responsible for the adherence of engaged processors.
Schulz advises the travel industry to expect the biggest impact of this regulation to be made over the internet, with call centres and print advertising to follow. Consider an EU citizen booking a hotel room online; they initiate the transaction and create a contract with the hotel. The hotel now automatically acts as a controller and processes the individual’s data until check out. At that point, the contract is complete and the hotel cannot hold any information without consent from the individual; this scenario complies with the GDPR. However, the hotel could fall out of compliance if they hold on to the guest’s information afterward or if other personal data unknown to the guest was indirectly collected, such as racial or religious indicators. Do note that certain local regulations may require hotels to retain traveller data, which can supercede these rules.
Some hospitality experts believe inherent consent is given by enrolling in a loyalty programme. A loyalty programme can serve as a joint controller throughout a brand, but the data being stored, the purpose of collection and the length of retention needs to be made public to the individual when signing up. Schulz views historic data as the main privacy issue for the travel industry. “Best practices include having as little data as possible, justification for what is necessary and proof of consent,” said Schulz.
Schulz expressed that the time of retention is the most overlooked aspect of the regulation. A company should first research to determine if they are in scope and understand that one of three elements (data subject, data controller or data processor) must be in the EU for the regulation to be applicable. If your company does fall in scope of the regulation, establish what personal data is collected and where it is stored. Evaluate and reduce this data to only necessary fields, and instill this moving forward. “My advice for companies is to take this seriously, do your research and make sure your processes are in place,” said Schulz. “The regulation is not meant to fine as many organisations as possible, but to build openness and trust between customers and business.”