Summary

We are now over a year on from the major changes made to the European data protection regime by the GDPR so it is time to revisit what the changes mean now for the hospitality sector and investment in it, given increased enforcement activity by regulators, increasing technological complexities and compliance issues continuing up corporate agendas.

The General Data Protection Regulation (“GDPR”) created a considerable stir in 2018, with much being written about its burdensome requirements and high fines. For the hotel and hospitality sector, respecting the privacy of guests is nothing new, though some of the ways in which services are evolving will need some careful consideration in order to maintain this culture and meet the current stringent legal requirements.

Issues arise as digital channels of guest engagement continue to emerge, and new technology-based offerings are developed. Maintaining a focus on privacy becomes more challenging, and a natural tension exists between the principle of data minimisation (a key facet of the GDPR) and the technical innovation which hotel operators are looking to implement.

Now that the GDPR has been in force more than a year, we are starting to see enforcement action by data protection regulators, including in the UK, France, Germany, Greece and others. This applies across all sectors, and is not just an issue for organisations that hold large volumes of personal data. 

As well as regulators, investors are increasingly concerned to probe the compliance efforts of potential targets, and assess risk posed by any deficiencies identified in the due diligence process. This blog examines four topical areas that will be of particular interest to companies operating in the hotel industry.

Determining whether the GDPR applies

One of the most significant changes brought about by the GDPR is that it explicitly extends EU data protection rules and rights beyond the territory of the EU in some circumstances. This is to ensure comprehensive protection of EU individuals’ rights and to create a level playing field for companies active in the EU market.

Although compliance with the GDPR has been mandatory since May 2018, at the time of writing the European Data Protection Board (the “EDPB”) has not yet adopted its finalised guidelines on the territorial scope of the GDPR.  This means that the precise reach of the GDPR’s so-called “long arm” is not yet fully understood. A draft of the guidelines, released for public consultation in 2018, indicates that EDPB will take a robust approach to matters of jurisdiction, even finding the activities of non-EU entities to be subject to the GDPR in surprising circumstances.

Companies in the hotel industry should carefully consider the processing activities they carry out, and whether they may fall within the scope of the GDPR. Where a company belongs to a group that is “established” in the EU, or otherwise targets individuals in the EU as future customers, it may become difficult to escape the conclusion that certain activities are regulated under the GDPR. This will have consequences for risk exposure, and also for the steps that a company is required to take in order to comply.

Data Processing Agreements

It is a common legal misconception that personal data is an asset that is capable of being “owned” and shared freely to “buyers”.  The reality is more complicated. The GDPR provides individuals with a range of rights, including the right to have their data erased in certain circumstances.  Personal data also has a finite “life” – the GDPR requires organisations to delete data that is no longer necessary for the purpose for which it was collected.

It is important for the parties to any arrangement involving personal data to have clarity over their respective roles, as this will have day-to-day compliance consequences and can become particularly important in the event that an agreement is terminated, e.g. which party can retain the data and for what purposes?

Despite regulatory guidance being issued by the EDPB and other regulators including the UK Information Commissioner’s Office (the “ICO”), it is often difficult to discern whether a party is acting as a “controller” or a “processor” of personal data. This distinction has significant consequences. When a controller engages a processor to provide services, the GDPR requires specific processing terms to be set out within a contract, and failure to do so would amount to a breach of the legislation. Where two parties share data as controllers, a situation which is likely to be prevalent in the hotel industry, the contractual requirement is less rigid.  Even here, regulators are likely to expect some form of data sharing agreement is in place in such situations (and if there is “joint controllership” then there should be an arrangement ). In the UK there is a draft data sharing code under consultation; this indicates that the ICO (and likely regulators in other EU member states) will expect formal, documented agreements.

As market positions continue to evolve, companies in the hotel industry should approach the negotiation of data processing provisions carefully. Miscategorising a party’s role could lead to significant issues in the future, such as an inability to access personal data following a corporate event or contract termination, or just an increase in legal complexity and associated costs of a deal. It may also have a bearing on how enforcement is meted out by a regulator. Note that controllers must comply fully with the GDPR. Processors only need to comply with parts of it.

Preparation and response to personal data breaches

Cyber security incidents can cause significant disruption for businesses and, in the worst cases, bring day-to-day operations to a halt. For hotels, there have been reports of vulnerabilities in keycard systems which has the potential for considerable disruption to operations and physical safety fears. Not all cyber security incidents involve personal data. Where an incident amounts to a “personal data breach” for the purposes of the GDPR, organisations are required to file notifications with applicable regulatory authorities in all but the most anodyne of situations; where the breach is likely to lead to a “high risk” for affected individuals, it will also be necessary to notify them directly. Companies should consider the following issues as part of developing an incident management framework:

• Mobilising quickly – who should be involved in responding to a breach? It is likely to be necessary to include a range of internal stakeholders, including IT Security, Legal, Compliance, Communications and HR.
• Establishing communications – how would the crisis team communicate if the company’s IT systems were locked, or the telephone systems down?
• Professional advisers – consider any professional support that the company might need in the event of a security incident, whether that is legal, PR, or forensic IT.
• Notifying insurers – cyber insurance policies are common in some jurisdictions, and an emerging product in others. If your company has a policy in place, review it carefully to identify coverage gaps, exclusions, or mandatory notifications that might need to be made.
• Consider service providers – if the incident has emanated from an external vendor, you will want to call for information from them quickly and you should therefore ensure that you have appropriate contractual rights in your agreements. The communications with any third party vendor will also need to be carefully managed, especially where potential litigation is contemplated.

Adopting new technologies

Whether it is allowing check-in via social media, or apps that allow guest smartphones to replace room keys, as emerging technologies continue to transform the sector, companies should remain alive to their privacy implications. This is all the more challenging since the EU legislature has only partially completed its overhaul of the bloc’s digital laws – even though the GDPR is in force, negotiations over the much delayed ePrivacy Regulation (“ePR”) continue. The ePR is likely to impact the roll-out of internet of things devices, in addition to setting out specific rules relating to electronic marketing and the use of cookies.

Recent press coverage of automatic facial recognition technology deployments around the world demonstrates the reputational impact that can result when affected individuals become aware that their data has been used in unexpected ways. Companies should consider the adequacy of any internal decision-making processes that take place before a new technology is deployed. These processes should incorporate a consideration of:

• Data protection by design and by default – companies subject to the GDPR must take steps to implement fundamental data protection principles such as data minimisation and purpose limitation. In essence, any new technologies should be deployed in a way that least impacts the privacy rights of individuals. Embedding these practices within an organisation will often require staff training and the adoption of new product development policies.
• Data protection impact assessments – where deploying a new technology is likely to lead to a “high risk” for individuals’ rights, the GDPR requires companies to undertake a structured review of that process, in order to identify any steps that can be taken to mitigate those risks. An internal process should be implemented to ensure that the need for this kind of assessment to take place is flagged.