by Dr. Michael Toedt and Dr. Robert Selk
The GDPR (General Data Protection Regulation) is about to become effective and it is time now for the hospitality industry to become aware of this topic. The GDPR is considered the big bang for data protection. The new regulation will take effect on May 25, 2018 after a 2-year transition period. As of this date, all data protection regulations currently valid across the 28 countries of the European Union will be replaced by this new regulation, making the 28 different local data protection regulations disappear. With the GDPR data protection will be Europeanized.
The new regulations of the GDPR will bring many changes and various additional obligations. This will lead to new implications for owners, managers and employees.
German companies that comply with the current local Data Protection Act have a clear advantage, as a lot of the regulations will remain the same or be similar.
Hand on heart – have you already taken measures to ensure proper data protection? I doubt that many hoteliers have spent the necessary time on this topic.
There is a difference between the so-called “data security”, i.e. the technical and organizational measures, and the actual “data protection”, meaning the protection of a person from excessive collection of personal data by companies, the government etc. Under data protection a person does not only include the guests, but also employees, suppliers, and other third parties. We will focus on the hotel guests, the direct clients of our industry.
Here are some good reasons why the GDPR should be taken seriously:
- Organizations in breach of the GDPR can be fined up to €20m or 4% of annual global turnover (whichever is greater). This is quite an increase from the former maximum amount of €300.000. Now, the annual global turnover of an organization is taken as a calculation basis. This makes it all the more important for international organizations with branches in Europe to comply with the GDPR, as the annual turnover of the entire group will be taken into consideration.
- Under the new regulations, the personal liability of managing directors will remain valid; so will be the personal liability of employees.
- The GDPR aims at strengthening the position of any affected person. This will, however, also encourage so-called “warning associations” to pursue infringements of the GDPR and to instigate legal proceedings. This could lead to the development of a new type of “warning” industry, which can increase the risk of getting fined.
In other words, this is the last chance to take this topic seriously and to take respective actions.
Record of Processing Activities
The GDPR clearly regulates how data protection must be organized. One of the new obligations is to keep record of all data processing activities in a so-called Record of Processing Activities. All processes of an organization that involve personal data must be described and documented. The record must also indicate how long the data is stored and when it will be deleted. German organizations that have a documentation following the current German data protection regulations, can easily adapt the existing record to the new requirements. Most companies, however, have no documentation that they can build on. A typical organization has about 150 processes that have to be evaluated and documented. It can take a couple of hours to create the respective entry in the Record of Processing Activities. This gives an indication of the scope of a GDPR project and the work involved to create the required documentation. And, keeping a Record of Processing Activities is only one of a dozen requirements.
The Record of Processing Activities clearly shows where data is processed and what exactly is done with it. In the past, companies had some time to create the documentation, as any inspection was announced prior by the data protection authorities. As of May 25, 2018, however, the authorities have the right to demand the Record of Processing Activities without giving any prior notification. There are even discussions about remote access to the records. But even if the deadline was longer, it would be impossible to create a proper record, as it requires so much input by the specialist departments, such as legal, the data protection officer, IT security, etc. There will be no more buffer for a quick fix. If you want to avoid the risk of getting fined, all documents should be more or less available at hand.
Implications for the hotel software
The controller of the data, e.g. a hotel, will liable for the proper data processing of its suppliers, mainly the software providers (“processor“). This implies that a hotel based in Germany is fully liable for the activities of its software provider, which is based in the US or in China. The German hotel is obliged to verify, if the provider complies with the new regulations. This will be extremely challenging for most European hoteliers and might have serious consequences.
The GDPR will also bring big challenges for the industry in regards to technology. An individual hotel works with up to 15 software systems containing guest data. As of May 25, 2018, guests have the right to request information about their personal data stored by the hotel. They also have the right to demand deletion of their personal data. Further, a guest may demand transfer of his personal data back to him or to a third party, e.g. a competitor. There are certain prerequisites to this, but these are mostly met in case of guest data.
In a fully heterogeneous IT environment, it will be virtually impossible for companies to comply with the new regulations, unless they have a Central Data Management (CDM), a so-called “Above Property System“, which centralizes all data streams. A CDM with its central guest profiles enables the implementation of a privacy dashboard meeting the new EU standards.
We highly recommend checking, if your software provider complies with the GDPR regulations. If not, you should switch provider and even consider taking legal action for non-compliance with the legal requirements. Data protection should be part of the software concept (Privacy by Design). And it is your right to work with partners who provide a legally compliant software. We advise to only work with software providers that guarantee legal compliance. European software companies had to comply with data protection regulations for many years already and are thus better prepared than providers, for which the complex regulations of the GDPR are new territory. Never before has it been more important to select the right software provider.
Since April 2017, dailypoint™ has been working on a holistic GDPR compliance strategy. During ITB 2018, we will present the new privacy dashboard for our dailypoint™ software products. This dashboard will be integrated as a standard module in all dailypoint™ products (kissCRM by dailypoint™, dailypoint™ 360° CDM/CRM, dailypoint™ BOOKING MANAGER and dailypoint™ SMART WLAN). For us “Privacy by Design“ means that we take data privacy seriously and support our hotels to do the same.
About the authors:
Operating at the intersection of business and technology, Dr. Michael Toedt helps hoteliers with the software dailypoint™ to use the tremendous increase of data in order to become datacentric. Dr. Michael Toedt has over 25 years of experience in operations, technology and marketing. He is the author of several books (among others “Big Data – Challenges for the Hospitality Industry” (2013) and “Data Revolution – How Big Data Will Change the Way of Doing Business” (2014) and his articles are published by journals on a regular basis. Dr. Toedt holds a doctoral degree in management science. He is lecturer at several universities and assistant lecturer at the University of Applied Sciences of Munich for the subject “Customer Relationship Management in Tourism”, guest lecturer at various universities such as the University of Applied Sciences of Bad Honnef, Kempten and NDS Hôtelleriesuisse.
Attorney-at-law Dr. jur. Robert Selk is associate partner in the law office of Dr. Schmid, Dr. Selk & Hoffmann in Munich and cofounder of Toedt, Dr. Selk & Coll. GmbH. His doctorate was completed in the internet and data protection area. Master postgraduate studies followed in European and International Business Law (Master of Law, LLM). Dr. Selk is a member of the work group IT-Law of the German Lawyers Association, the German Association for Law and Computer Sciences (DGRI), the Association for Data Protection and Security (GDD) as well as the German Data Protection Association (DVD). His activities are mainly focused on computer, internet, data protection laws and commercial legal protection/ copyright laws. Dr. Selk is Data Protection Officer in various companies and also guest lecturer at the University of Augsburg for the ecommerce field as well as lecturer at the Academy for Corporate Management of the Chamber of Commerce in Bavaria.
Here you can download the blogpost as PDF.