By Paul Schlienz
Washington hospitality businesses that serve European customers need to follow a new data protection law.
It’s not often that a European law directly affects massive numbers of U.S. businesses, but this is the case with the General Data Protection Regulation, better known as the GDPR. Effective as of May 25, the GDPR is a new set of rules designed to give European Union (EU) citizens more control over their personal data.
Under the GDPR, organizations will not only be required to ensure that personal data is gathered legally and under strict conditions, but those who collect and manage it will be obliged to protect it from misuse and exploitation, as well as to respect the rights of data owners – or face penalties for not doing so, according to ZDNet.
[expander_maker id=”1″ more=”Read more” less=”Read less”]
And here’s where U.S. businesses, including many hotels and restaurants, need to pay close attention: The GDPR applies to any organization operating within the EU, but also to organizations outside of the EU if they offer goods or services to customers or businesses in the EU. For example, if you are a hotel that takes reservations from European customers, you will need to follow the GDPR.
The GDPR places legal obligations on businesses to maintain records of personal data and how it is processed. And if your organization does suffer a data breach, you will have a much higher level of legal liability if the breach included personal data on European customers, according to ZDNet.
Name, addresses, photos, IP addresses, genetic markers and biometric identifiers, including fingerprints, facial recognition images, and iris or retinal scans, are all considered personal data under the GDPR. Additionally, the GDPR also recognizes a “right to be forgotten” for people who want their data deleted if there’s no reason to hold on to it.
Under the GDPR, consumers have a right to know if their data has been hacked, and organizations must detail how they use customer information in a clear and understandable way. Already, many companies in Europe, the U.S. and elsewhere are sending customers emails detailing how their data is used and providing them with opt-outs if they don’t want to share their information. This is a direct result of the GDPR, according to ZDNet.
Data breaches must be reported to relevant supervisory bodies within 72 hours of an organization first becoming aware of the problem. This needs to be done through a breach notification, which must also be delivered directly to the victims. This information may not be communicated only in a press release, on social media or on company website. This communication must be a one-to-one correspondence with those affected, according to ZDNet. Non-compliance with the GDPR can lead to fines as much as 20 million euros or four percent of worldwide turnover, whichever is greater.
Here is a checklist from Revinate for getting compliant with the GDPR:
- Establish whether the GDPR applies to your business.
- Educate and train your staff members on collecting, accessing, using and disclosing personal information and restricting access to cardholder data.
- Know where your data is stored.
- Understand who has access to your data.
- Seek assistance from experts.
The Washington Hospitality Association is closely monitoring the GDPR and will soon be providing more information on this new law and its obligations for our members. Currently, we are putting together a compliance guide on the GDPR for our members. We know this is an important issue, and we want you to be prepared. Stay tuned.
[/expander_maker]
![[Class, May 20] ServSafe Manager, Kent](https://wahospitality.org/wp-content/uploads/2018/07/CALEND1-150x150.png)
