GDPR Checklist: What You Need to Know as a Hotelier
Jos Schaap | ROOMDEX
You’ve likely heard a lot about the GDPR – General Data Protection Regulation. Prior to the General Data Protection Regulation (GDPR), organizations were accustomed to collecting large sums of data that were often processed by third parties on their behalf. However, GDPR increased the focus on the risks of outsourcing data processing activities and the requirements for vendors.
With organizations sharing personal data with third parties all the time, how can you ensure they are compliant? In this article, we provide a refresher course on GPDR; What it is, how it works and we’ll provide an all-important GDPR checklist to ensure you and the vendor(s) you work with, are compliant.
What is GDPR again? And how does it affect my business?
It’s might be one of those things you sort of understand but hope someone else is handling. Or perhaps, if you are a U.S.-based business, you may assume a European law won’t apply to your operations. Whatever the reason, you’re not alone. The GDPR has been in effect for a while now and many organizations are still struggling to meet its requirements and/or understand their responsibilities.
Essentially, GDPR is a regulation in EU law on data protection and privacy. Any organization that is selling to, storing or handling EU residents’ personal data must comply with the Regulation. This includes companies on other continents. Under the terms of GDPR, not only do organizations have to ensure that personal data is gathered legally, but those who collect it are obliged to protect it from misuse and exploitation. They also must to respect the rights of data owners – or face penalties for not doing so.
And the penalties are harsh. Fines of up to 4% of annual global revenue or 20 million Euros, whichever is greater. Both British Airways and Marriott International are facing eye-watering fines that amount to hundreds of millions or euros for failing to comply – Marriott International are expected to be fined in the region of €99 million for a data breach between 2014 and 2018.
What responsibility do businesses have regarding third parties?
When you engage a third-party supplier to process or access personal data, that third party becomes a data processor – whereas you, the hotel, are the data controller. Under the GDPR, both data controllers and data processors have a responsibility of protecting consumer data information. However – and this is the important detail! – the responsibility for incidents or data breaches remains with the data controller. You, the hotel, are responsible not only for your own compliance but also that of your processors i.e. vendors.
Therefore, when assessing your compliance, you need to consider any suppliers involved in processing the personal data you hold. For example, a third-party vendor that supplies a CRM solution that retains your customers’ contact details comes under the scope of your own GDPR compliance. You, the data controller is accountable for the way they process personal data.
GDPR Checklist: Ensuring a Vendor is Compliant
While GDPR may seem complex, achieving compliance shouldn’t feel like a struggle. Below is a GDPR checklist you use to ensure your vendor(s) are compliant and help harden your GDPR compliancy.
- Your first task is to vet your data processors to ensure they take the same stringent approach to compliance and data protection that you do. They should be able to demonstrate their own GDPR compliance strategy, and that they treat compliance as an active, dynamic process.
- DPA (Data Protection Agreement): Once you determined that a vendor meets your requirements, the GDPR specifies that a DPA should be put into place. The agreement should set out various terms and conditions to ensure GDPR compliance such as:
- Establishing limitations and duration of the processing
- Defining the data controller/processor relationship and the specific details of the purpose(s) for which data will be used,
- Mandating that data should not be processed beyond the purpose for which it was shared with the vendor, and
- Establishing the processes the third party will use to report any incidents or breaches to the organization.
In other words, it needs to clearly cover the scope and purpose of the data processing you are handing over to third-party control.
The contract should also state that:
- your third-party supplier will act only on your documented instructions
- that it will take appropriate security measures, that it will not contract a sub-processor without your prior approval, and
- that it will delete or return all personal data to you at the end of the contract.
- Scheduled Reviews: After a third-party vendor relationship has been established, a necessary, but often overlooked, step is conducting periodic vendor reviews. These evaluations should include the review of contracts, the lawful bases for data processing, security measures, and legal obligations.
Under GDPR, as a hotelier, you must put in place systems that provide safeguards to protect personal data. Working with third-party suppliers? The message is clear – choose carefully, employ robust contracts and ensure they take GDPR compliance seriously.