Getty Images or booked these consumers while they were in Europe , it would be subject to the regulation . And if that U . S . brand or property , both referred to as a “ data controller ” in GDPR parlance , subcontracts to a data processor with operations in the EU , GDPR does apply . ( Interestingly , under GDPR , data processors are expected to handle data per the data controller ’ s instruction . In all cases , the data controller , not the subcontractor , is liable for GDPR noncompliance .)
HOW THE COOKIES CRUMBLE GDPR has opened the door for some technical changes , such as how online businesses offer consent to site visitors .
“ Some supervisory authorities have come out and said the standard ‘ We use cookies , do you accept cookies ?’ is not good enough anymore , and that under GDPR you need more granularity … or an opportunity to accept or decline each type [ of cookie ],” says Richard Sheinis , partner in the Charlotte , North Carolina , office of Hall Booth Smith P . C . and head of the firm ’ s data privacy and security practice group . Like Schulz , Sheinis is a co-chair of HTNG ’ s workgroup on GDPR and one of the white paper contributors .
Some sites let site visitors accept or reject cookies in each category , such as essential cookies , marketing cookies , and so on . The most popular approach , Sheinis says , is to change the pop-up so that along with a box to accept all cookies , there ’ s a box to set cookie category preferences . Some sites are adding the option to accept or reject individual cookies within each category .
Not everyone is doing that , “ and based upon my reading , I don ’ t think you need to get that granular ,” he says .
GOOD GOVERNANCE “ If we establish that GDPR applies , my first step is always finding out what personal data you have , where it is coming from , what you do with it , where it is within your network , and what vendors you ’ re sharing it with ,” says Sheinis . “ Get a good idea of that data inventory , data flow , data mapping , and then go from there .”
There are many tangible benefits from this exercise , he says , including uncovering security vulnerabilities , reducing downtime and creating an infrastructure that is better prepared to deal quickly with data breaches .
“ Good data governance is not something you do for GDPR alone ,” Schulz says , adding that GDPR is an extra incentive to do this — and that could be a good thing .
January / February 2020 hotelsmag . com 51