After reading and re-reading the 99 articles and the numerous recitals in the General Data Protection Regulation (GDPR), one thing that is crystal clear is that, for the first time, it introduces direct obligations for data processors. The current legislation only holds data controllers liable for non-compliance with the current data protection laws. Data processors will now be subject to penalties and civil claims by data subjects for the first time. As we already know the GDPR is the biggest shake-up of data protection laws for 20 years and Article 28(1) specifically spells out for the processors that:
Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.
In other words, data controllers, i.e. customers of data processors, must choose data processors that comply with the GDPR. A data processor is anyone who processes personal data on behalf of the data controller. The supervisory authorities, across all 28 member states (Brexit doesn’t mean the UK is outside the GDPR), will enforce penalties on controllers for a lack of proper evaluation and appropriate contractual engagements of their data processors. Data processors are expected to find themselves obligated to be GPDR compliant and be able to provide the proper service to their data controllers.
For completeness, the definition of a data controller, is stated in the Regulation’s Article 4 (7) which describes:
‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
At the end of 2017, Edgar, Dunn & Company (EDC) published the results of a survey of hotels to assess their readiness for GDPR. Hotels manage lots of ‘personal data’ as defined by the GDPR and they also work with lots of data processors. A significant finding from our survey (undertaken in November 2017) was that 57 percent of the respondents admitted that they have not started the process of GDPR implementation. Interestingly, our telephone interviews with data processors within the hotel sector implied that they were not responsible for GDPR compliance and responsibility was solely with the data controllers. Nonetheless, further questioning found that the majority of vendors did not know when they would become GDPR compliant.
There appears to be some confusion in this area and we would expect numerous cases of finger-pointing after 25 May 2018; cases where data controllers will declare that GDPR compliance is partially the responsibility of the processor, whereas data processors will claim something else.
The UK’s Information Commissioner Elizabeth Denham, has been GDPR myth busting:
Myth: GDPR compliance is focused on a fixed point in time – it’s like the Y2K Millennium Bug.
Fact: GDPR compliance will be an ongoing journey.
She went on to say “Unlike planning for the Y2K deadline, GDPR preparation doesn’t end on 25 May 2018 – it requires ongoing effort”. It’s an evolutionary process for organisations – 25 May is the date the legislation takes effect but no business stands still. You will be expected to continue to identify and address emerging privacy and security risks in the weeks, months and years beyond May 2018.
Hetras, part of the Shiji Group, is a cloud based hotel management system, made an interesting comment. They said that the German and Austrian Hotels were more interested in the legal aspects of GDPR. In fact, the current focus is on other fiscal / legal implementations relating to the front of house rather operations than on GDPR which was considered back of house (or back office operations).
We found in our hotel survey and this is reflected in our client engagements and Guestline also confirmed that the priority is to conduct a series of briefings with staff, from the boardroom to the shop floor. These all staff briefings are necessary to explain the requirements of GDPR and offer guidance on how to meet its requirements.
The regulation also places responsibility on a data processor to maintain a record of data processing activities if any one of the following criteria (see Article 30) are met:
- Processes data that is “likely to result in a risk to the rights and freedoms of data subjects”
- Processes data more than occasionally
- Employs 250 or more persons
- Processes special categories of personal data as outlined in Article 9(1)
- Processes data relating to criminal convictions
Guestline, is a leading cloud-hosted property management, distribution and digital marketing technology company. Their General Counsel, Jeremy Espley, recently commented on GDPR:
“The new GDRP legislation is the most significant change in EU Data Protection Law in 20 years and as a result the financial penalties for failing to comply, as well as the risk of potential damage to a hotel’s reputation are high”.
Jeremy went on to say that it is imperative that the new obligations for both data controllers (hoteliers) and data processors (their suppliers, including companies such as Guestline) are met.
Furthermore, data processors, like controllers, are required to implement appropriate security measures. What is appropriate is assessed in terms of a variety of factors including the sensitivity of the data, the risks to individuals associated with any security breach, the costs of implementation and the nature of the processing.
The greatly increased responsibility of data processors under the GDPR means that the controller/processor contract becomes even more important to the data processor. So far, data controllers are more likely to be ensuring their potential liability by signing the processor up to specific obligations and contractual service level agreements. From now on, post go-live of the GDPR, we would expect the data processors will play a more active interest in making sure their obligations are precisely defined because they will be so much more exposed.
Counter intuitively, privacy by design, a key point in the regulations will best be achieved with cloud based technology by acting as an essential enabler in designing solutions that provide a high degree of privacy for citizens allowing:
- Data lakes that hold citizen data separate from commercial applications
- Process mapping that reconfigures with the changing data landscape
- Pseudo Data mapping for large scale profiling
- Consent management managed locally for commercial applications
- Interactive forms for legal compliance management
- PSD2 compliance which can citizen identification to the new financial digital economy
An unintended drawback of a data breach is that a company’s reputation can be destroyed in a matter of weeks – with what can start with a trickle of requests and soon becomes an avalanche as derogatory social media which can quickly take damage mitigation out of the hand of the company. Reputational risk is the most damaging of all risks and GDPR accelerates its impact and consequence. So, don’t just rely on your IT and compliance teams to implement, it’s a board level and group wide responsibility.
Whatever the approach it unlikely that most organisations will be fully ready for the implementation of GDPR, there is no silver bullet that will make organisation compliant. Implementing legal notices and updating the data policy statement on your website in one thing; knowing where all the data is buried is quite another; being able to provide evidence and deliver that information to ex-customers in a timely manner is yet another challenge. Unlike the millennium bug this requirement is real and current and will not disappear after 25 May 2018, its implementation will take longer than demanded by the regulators, and its impact will be felt in many years to come as data subjects start to adjust to the management of their own digital footprint and demand superior data management.
How Can Edgar, Dunn & Company Help?
By working with EDC, there are three steps to follow for getting ready for GDPR, fast-tracking your strategies to ensure GDPR compliance or improving your existing plans:
- A light-touch health check – we suggest no more than a few days to assess your current roadmap and readiness against the GDPR requirements – essentially, this is a gap-analysis. In some cases, where there is an on-going in-house GDPR project, it is advisable to gain an outside independent perspective of your plans
- An in-depth data mapping of the current processes, people, platforms and places – as required by Article 30 in the GDPR – we use a range of sophisticated GDPR-ready documentation tools which best suit your business to perform this step
Based on our conversations with a range of clients and their suppliers, the GDPR challenges they are experiencing today can be found in a range of travel-related businesses, such as hotels, train operators and airlines. The higher the propensity for personal data required in the booking and servicing of guests and travellers, the greater the need for a clear GDPR strategy and the need to embrace privacy by design.
We have found that most hoteliers and merchants that process personal data are focusing their limited resources on the processes to be compliant with GDPR. At this stage, this is appropriate and to be expected. However, at Edgar, Dunn & Company, we believe that the next wave of GDPR frenzy (i.e. post 25 May 2018) will be driven by the need to be more visionary in the identification of new business opportunities that will leverage data portability, access to centralised customer data and the monetisation of data.