The GDPR (DSGVO) Countdown is On
By Michael Toedt, Managing Partner and CEO at TS&C GmbH and Robert Selk, Attorney-at-law cofounder of Toedt, Dr. Selk & Coll. GmbH
German companies that comply with the current local Data Protection Act have a clear advantage, as a lot of the regulations will remain the same or be similar.
Hand on heart – have you already taken measures to ensure proper data protection? I doubt that many hoteliers have spent the necessary time on this topic.
There is a difference between the so-called "data security", i.e. the technical and organizational measures, and the actual "data protection", meaning the protection of a person from excessive collection of personal data by companies, the government etc. Under data protection a person does not only include the guests, but also employees, suppliers, and other third parties. We will focus on the hotel guests, the direct clients of our industry.
Here are some good reasons why the GDPR should be taken seriously:
- Organizations in breach of the GDPR can be fined up to €20m or 4% of annual global turnover (whichever is greater). This is quite an increase from the former maximum amount of €300.000. Now, the annual global turnover of an organization is taken as a calculation basis. This makes it all the more important for international organizations with branches in Europe to comply with the GDPR, as the annual turnover of the entire group will be taken into consideration.
- Under the new regulations, the personal liability of managing directors will remain valid; so will be the personal liability of employees.
- The GDPR aims at strengthening the position of any affected person. This will, however, also encourage so-called "warning associations" to pursue infringements of the GDPR and to instigate legal proceedings. This could lead to the development of a new type of "warning" industry, which can increase the risk of getting fined.
In other words, this is the last chance to take this topic seriously and to take respective actions.
Record of Processing Activities
The GDPR clearly regulates how data protection must be organized. One of the new obligations is to keep record of all data processing activities in a so-called Record of Processing Activities. All processes of an organization that involve personal data must be described and documented. The record must also indicate how long the data is stored and when it will be deleted. German organizations that have a documentation following the current German data protection regulations, can easily adapt the existing record to the new requirements. Most companies, however, have no documentation that they can build on. A typical organization has about 150 processes that have to be evaluated and documented. It can take a couple of hours to create the respective entry in the Record of Processing Activities. This gives an indication of the scope of a GDPR project and the work involved to create the required documentation. And, keeping a Record of Processing Activities is only one of a dozen requirements.
The Record of Processing Activities clearly shows where data is processed and what exactly is done with it. In the past, companies had some time to create the documentation, as any inspection was announced prior by the data protection authorities. As of May 25, 2018, however, the authorities have the right to demand the Record of Processing Activities without giving any prior notification. There are even discussions about remote access to the records. But even if the deadline was longer, it would be impossible to create a proper record, as it requires so much input by the specialist departments, such as legal, the data protection officer, IT security, etc. There will be no more buffer for a quick fix. If you want to avoid the risk of getting fined, all documents should be more or less available at hand.
Implications for the hotel software
The controller of the data, e.g. a hotel, will liable for the proper data processing of its suppliers, mainly the software providers ("processor"). This implies that a hotel based in Germany is fully liable for the activities of its software provider, which is based in the US or in China. The German hotel is obliged to verify, if the provider complies with the new regulations. This will be extremely challenging for most European hoteliers and might have serious consequences.
The GDPR will also bring big challenges for the industry in regards to technology. An individual hotel works with up to 15 software systems containing guest data. As of May 25, 2018, guests have the right to request information about their personal data stored by the hotel. They also have the right to demand deletion of their personal data. Further, a guest may demand transfer of his personal data back to him or to a third party, e.g. a competitor. There are certain prerequisites to this, but these are mostly met in case of guest data.
In a fully heterogeneous IT environment, it will be virtually impossible for companies to comply with the new regulations, unless they have a Central Data Management (CDM), a so-called "Above Property System", which centralizes all data streams. A CDM with its central guest profiles enables the implementation of a privacy dashboard meeting the new EU standards.
We highly recommend checking, if your software provider complies with the GDPR regulations. If not, you should switch provider and even consider taking legal action for non-compliance with the legal requirements. Data protection should be part of the software concept (Privacy by Design). And it is your right to work with partners who provide a legally compliant software. We advise to only work with software providers that guarantee legal compliance. European software companies had to comply with data protection regulations for many years already and are thus better prepared than providers, for which the complex regulations of the GDPR are new territory. Never before has it been more important to select the right software provider.
Since April 2017, dailypoint™ has been working on a holistic GDPR compliance strategy. During ITB 2018, we will present the new privacy dashboard for our dailypoint™ software products. This dashboard will be integrated as a standard module in all dailypoint™ products (kissCRM by dailypoint™, dailypoint™ 360° CDM/CRM, dailypoint™ BOOKING MANAGER and dailypoint™ SMART WLAN). For us "Privacy by Design" means that we take data privacy seriously and support our hotels to do the same.
What can hoteliers expect? With dailypoint™ hoteliers get control of your data, learn who their customers are, individualize their marketing and guest services, run targeted sales actions, get meaningful insights for decision making and have a Central Data Management (CDM) in place to become GDPR compliant. Summarized, dailypoint™ is the new centre piece for all hoteliers who want to benefit from digitalization.
dailypoint™ is headquartered in Munich, Germany and has representations in: Singapore, Malaysia, Vietnam, China, Taiwan, Hong Kong, Australia, India, UK, USA and Dubai. Further information: www.dailypoint.com