GDPR at a glance

By now you have probably heard about the new privacy law enacted by the European Union (EU) that took effect May 25, 2018.  Called the General Data Protection Regulation (GDPR), the new law impacts those organizations based in the EU, and it also potentially applies to organizations outside the EU such as when EU residents make reservations at properties in North America or elsewhere. A primary purpose of the GDPR is to provide individuals with more control over their personal information, and covered organizations are required to demonstrate they handle personal information they receive responsibly.  As of May 25, you may have additional privacy and data protection obligations.

Why does the GDPR matter?

“Privacy” is understood, managed and regulated differently in most of the rest of the world, including the EU, as compared to the US. In the EU, and as reflected in the GDPR, “personal data” does not belong to the organization collecting and using the information, it belongs to the person it identifies, and that person has the right to control how it is processed. Personal data are any information relating to an identified or identifiable individual. The GDPR’s very broad definition of personal data means that a wide range of data elements must be considered when applying the numerous requirements.

GDPR highlights include:

– Significant financial sanctions: Maximum fines of 4% of global revenue or €20 million, whichever is higher – per violation, with no limit to the number of fines assessed by regulators.

– EU-based representative: In some situations, businesses must enlist EU-based representatives, and there can be significant fines for not doing so.

– Breach notification requirement: In the event of a data breach, notification to the relevant EU Supervisory Authority must be made within 72 hours of determining a breach and must also be made to affected individuals without undue delay where there is a high risk to the individual.

– Right of erasure: When applicable, organizations must remove EU consumers’ personal data upon request and without undue delay.

– Record of processing activities: Covered organizations must maintain a record of processing as pertaining to personal information, to include information such as the reasons for the processing, descriptions of the categories of data subjects and the categories of personal data, and the categories of recipients with whom personal information will be or has been disclosed.

– Data privacy governance: In certain situations, requires designating an individual as a “Data Protection Officer” to verify compliance and conduct data protection impact assessments.

– Enhanced supply chain requirements: As applicable, third parties that process personal information on a company’s behalf must agree to implement appropriate privacy/data protection measures under the GDPR, and service providers are accountable for their own privacy/data protection compliance.

What should be done to comply with the GDPR?

You may want to consider a few initial activities to get started if you have not already begun your GDPR activities.  First, ensure the leaders in your organization are aware of the GDPR’s foundational expectations. The links below provide information to help you get started.  Also, seek the assistance of applicable legal counsel.  It is important to understand what is, or is not, required for your unique environment. And, if your property has its own website, in collaboration with legal counsel, review the privacy policy to ensure it provides the necessary disclosures.

Helpful resources: