Are you ready for new EU data changes? Lawyers warn hospitality risks penalties
Lawyers at London law firm Harbottle & Lewis have warned that the ‘biggest change in European data law in a generation’ will require many companies to review their data collection practices, including collecting more explicit consent from customers to use their data. In many cases, this will mean a shift away from the often-seen ‘tick here if you would like to opt out’ option found on data forms today.
Although formally approved this year, the new regulation will come into force in 2018.
Data concerned will include everything from names and email addresses used for table reservations and mailing lists; credit card details and addresses used to secure room bookings; information taken when offering free Wi-Fi; and medical issues used to inform massage choices at a hotel spa.
Fines for non-compliance will be a proportion of business turnover rather than fixed, meaning that businesses could lose out significantly.
Natalie Smith and Dan Tozer, lawyers at Harbottle & Lewis who work with hospitality industry clients on data protection, said that businesses should be aware of what data they collect, how they use it, and whether the consent notices meet the increased requirements.
Businesses also need to know whether they pass their data to anyone else, and if they are permitted to do so – and if so, what transfer contracts are in place to regulate the process.
IT systems should also be updated, with businesses needing to be aware how they create records for data, how long they keep it for, and how secure the company systems are.
There should also be processes in place to report and respond to any possible data breaches.
Many businesses could benefit from a dedicated data team in most cases – including a data protection officer if necessary ‒ who can judge whether the allocated budget and resources are adequate to properly support data issues.
Commenting on the advice, Smith said: “The new regulation ‒ the General Data Protection Regulation ‒ is the biggest change in European data law in a generation. Although it will come into force in summer 2018, the changes being introduced are considerable and all businesses should be considering these key steps now to prepare.”
