GDPR in the EU and UK: AETHOS' 3 Steps for Complying with Employer Responsibilities

GDPR. Four letters of the alphabet that are proving to represent one of the biggest challenges facing businesses in 2018. The General Data Protection Regulation (GDPR) comes into effect on 25th May across the European Union, including the UK, and impacts any organisation that operates within the EU that processes data of EU citizens wherever they may be in the world. How organisations hold, store and process personal data will now be subject to higher and more consistent scrutiny - with potentially significant penalty for non-compliance. AETHOS Consulting Group's London Managing Director Chris Mumford emphasizes that much attention is already given to how customer data is handled under GDPR, especially in the hospitality sector where hotels process a high volume of personal information and payment data. "GDPR not only impacts how a business interacts with its external customers but also how it manages data internally with regard to its employees. In an industry such as hospitality where the labour force is so often highly diverse and comprised of multiple nationalities, most organisations will be affected by GDPR."

Mumford spoke exclusively to Adele Martins, Partner and head of the Employment Department at law firm Magrath Sheldrick LLP, who clarified that GDPR is considerably stricter in its requirements than the UK's Data Protection Act (DPA). Mumford and Martins highlight a number of key features hospitality employers should consider as they address compliance with the new regulations:

- What qualifies as 'sensitive data'?
People will regard information about their health or their sexual orientation as more confidential. Technically Sensitive Personal Data or Special Categories of Data include information about a person's race or ethnic origin, their health or sex life, their sexual orientation, political opinions, religious / philosophical beliefs, trade union membership and genetic and biometric data.

- How is employee consent defined and best obtained?
The GDPR makes it clear that consent must be freely given, specific, informed and unambiguous. It can no longer be implied from silence, pre-ticked boxes or inactivity.

- Regarding businesses which have external suppliers that are exposed to personal employee information (ie. payroll providers), where does GDPR compliance lie?
With all parties. The advice to controllers is to have appropriate agreements in place with providers to ensure that those providers (processors) are contractually obligated to process data appropriately.

- Would a hotel in New York which employs a French national in the kitchen be subject to GDPR?
So, a hotel in NY employing a French national is processing the personal data of an EU national but that EU national is not within the EU. Does that mean they are off the hook? No. The EU national is still likely to be protected by the GDPR - not least because they are bound to return to the EU at some point and the processing will not stop when they do.

- What are the sanctions for failing to comply?
The maximum sanction under the GDPR is a whopping Euro 20,000,000 or in the case of a corporate undertaking 4% of global annual turnover - so potentially much higher than the maximum Euro 20 million figure.

Mumford and Martins urge hospitality employers to immediately manage three critical steps to prepare for the GDPR compliance deadline:

1. Dedicate data protection personnel internally and at a senior level;
2. Appropriate security measures to ensure that personal data is properly stored, securely processed and retained only for as long as necessary;
3. Clarify Privacy Notices to ensure that the individuals in question understand what data they are providing.