Beekeeper Chief Data Officer Dr. Amir Ameri answers hoteliers’ frequently-asked questions to better navigate GDPR next steps
SAN FRANCISCO, CA July 24, 2018
The European General Data Protection Regulation (GDPR) compliance deadline has passed, and it now requires every hotel in the world to have guidelines in place that protect European Union (EU) residents’ personally identifiable information against security breaches. While a lot has been discussed to help hoteliers become compliant, many are wondering “what comes next?” Dr. Amir Ameri, Data Protection Officer for Beekeeper, a GDPR-compliant developer of a digital workplace app hailed as the “Most Innovative Technology” for 2018 and the “People’s Choice” by actual users and buyers, is providing answers to some of hoteliers most frequently asked questions.
Q: How quickly will regulators levy major fines if a hotel or hospitality-related business is not GDPR compliant?
A: Before a fine is levied, an offence must be established. This may be due to an incident impacting personal data of an employee or a guest or a defined regulatory audit. Hence, establishing an offence in this matter would require evidencing several criteria, performing audits, assessing the knowledge of the offender to the offence, i.e. establishing intent and the level of due diligence the offender had met. Taking all factors into consideration, previous court rulings in the EU have taken time to give a ruling in data protection and privacy matters. Article 83 states: "In any event, the fines imposed shall be effective, proportionate and dissuasive." This will be case dependent and influenced by the legal proceedings in the jurisdiction in question as defined by the regulatory body.
Q: Will the GDPR regulation help or hinder future innovation?
A: In my opinion, not only will GDPR regulation significantly help future innovation, but it will also establish an absolute maximum of the necessary level of "trust" required to have a flourishing use of any future innovation.
Q: Will the GDPR regulation help or hinder my hotel’s global marketing efforts?
A: Understanding that establishing "trust" is the cornerstone of any successful marketing effort, there is nothing better than upholding a basic “undeclared human right” in any company's effort to commercialize their product. Adapting to new processes and marketing efforts will be necessary, but it's also addressing an important need in the minds of most consumers.
Q: What do hotels need to do to maintain their opt-in-subscriptions? What will this mean to customer loyalty and bottom line revenues for the future?
A: It is helpful if businesses/hotels recognize that personal data is not a free commodity and there is an ownership title associated with the personal data to the data subject. Safeguarding this is all GDPR requires. Incentives, or any form of compensatory measures of interest to the data subject, may result in maintaining a higher customer loyalty. It is important to note, however, that customer loyalty and bottom line revenues were only impacted for businesses/hotels with a model to use a "free commodity = personal data" to generate income. As we all know, in a free economy, this itself is considered an unfair distribution of resources and a disadvantage for a healthy economy and it is not tolerated in many countries.
Q: What happens if there is a third-party breach? For example, a hotel uses WhatsApp to stay connected to their employees. What happens to that hotel if WhatsApp is not compliant? Is it liable for the breach or is WhatsApp solely responsible?
A: One of the points that GDPR addresses clearly is the responsibility of each party in the processing life cycle. In this respect, although GDPR has a "pass through" approach, it is the responsibility of the controller to be transparent towards the data subject and manage such risks with the processors and the involved third parties. For example, having a data processing agreement in place between the involved entities, performing risk assessments and taking other risk mitigating measures are the norm in managing this type of risk. In the example stated, since the hotel is considered as the controller, certainly the hotel will be audited to establish whether it had performed its due diligence towards managing this risk or not. Basic assumption is that the data subject was informed and consented to in the first place to allow WhatsApp to have possession of their personal data. If not, clearly the hotel will be held liable in a first instance.
Q: Understanding that GDPR is not a one-off compliance effort (like the rush to fix the Y2K Millennium Bug) and continuous changes will need to be made, is there a grace period on updates? Will there be a global schedule specifying when updates need to be made? How does a company know if it’s up-to-date with all the recent regulations?
A: GDPR is the law and became enforceable on May 25th, 2018. The grace period for meeting GDPR requirements started in April 2016, with a 2-year period allowed for compliance. Although, it has happened in the past that regulators have "extended" enforceability timelines, to date, I am not aware of any extension periods for the start of enforcement of GDPR.