TECHNOLOGY
GDPR CONTINUESto
CONFOUND
COMPLIANCE COULD COME DOWN TO EFFECTIVE DATA GOVERNANCE AND RETROFITTING .
Contributed BY ELLIS BOOKER
Few regulatory events have roiled global business like the General Data Protection Regulation , or GDPR . Passed by the European Union in 2016 , GDPR went into effect May 25 , 2018 .
Why have these consumer privacy protection rules , which replace the 1995 Data Protection Directive and apply to every business that sells or markets to EU and European Economic Area ( EEA ) countries , attracted so much attention ?
“ The core requirements haven ’ t changed that much ” from the 1995 rules — except for heavy penalties and fines for noncompliance , says Finn Schulz , principal at Schulz Consulting , whose 43-year international career includes Westin Hotels , SAS International Hotels , Radisson SAS Hotels & Resorts and Carlson Rezidor Hotels .
Significantly , these charges can be imposed by an EU state ’ s GDPR “ supervisory authority ” — without a court ruling or even a consumer complaint .
“ The administrative fees are what has triggered everybody to take [ GDPR ] seriously ,” says Schulz , a co-chair of Hospitality Technology Next Generation ’ s workgroup on GDPR and one of the contributors to its white paper on the topic , which was updated in October . HTNG ’ s paper offers a comprehensive explanation of the regulatory framework , along with checklists to assist hotel brands .
According to the GDPR Enforcement Tracker website , only one GDPR enforcement penalty to date involves a hotel company – but it was the second-largest fine : Marriott International , in the aftermath of the massive Starwood data breach in 2018 , got a € 110.4 million ( about US $ 124 million ) fine for “ insufficient technical and organizational measures to ensure information security .”
COMPLIANCE CONFUSION GDPR compliance is not as clear-cut as , say , the rules around international credit card transactions . So what should a hotelier do if approached by a country regulator requesting a GDPR audit ?
“ If you ’ ve shown an interest and mapped your processes , and tried to change processes that were not compliant , then I think you have a much better argument to enter into a discussion with regulators ,” Schulz says .
Possibly the biggest confusion around GDPR is to whom it applies , and where . Take this scenario : European tourists walk into a U . S . property and book a room at the front desk . Such guests are not covered under GDPR . But if the brand had targeted
50 hotelsmag . com January / February 2020