With 2017 behind us, the coming into force of the General Data Protection Regulation is fast approaching. Here, two lawyers respond to the pressing questions travel businesses may have, with an introduction from Karen Round, the Information Commissioner’s Office’s senior policy officer.
Data protection law is changing. From May 25 the General Data Protection Regulation (GDPR) comes into force via the government’s new Data Protection Bill.
The GDPR is an evolution of current legislation that will strengthen the accountability of organisations handling personal information, enhance consumer rights and give people greater control over their own data.
By now, you should be putting in place key building blocks that demonstrate a commitment to responsible data practice: things like making data protection a boardroom issue, understanding what personal data you hold, where it came from and who you share it with.
Making sure your staff are trained is a must – they are your best defence and greatest potential weakness. And ensuring you have measures in place to keep data secure goes without saying.
This commitment to data protection will benefit your customers and your business – you’ll improve customer trust and reap the reputational rewards, allowing your business to thrive in the new privacy landscape.
It’s true that the Information Commissioner has stronger enforcement powers under the new law, but our commitment to guiding, advising and educating organisations about how to comply with the law will not change under the GDPR.
Fieldfisher’s Rhys Griffiths, partner, head of the Travel Group, and Rob Sheldon, partner, technology outsourcing and privacy.
Much of the current legal framework is sustained, but there are some significant changes that businesses should be aware of:
Businesses must demonstrate how they comply with data protection laws, and this will generally take the form of documented records which record the types of personal data that are being processed (such as names, contact details, customer IDs, payment card details, transaction history, IP addresses and so on), the purposes for which they are processed (for example marketing, to fulfil a contract with a customer such as a hotel or flight booking, to comply with applicable legal and regulatory requirements), who it is shared with (for instance service providers such as outsourced data centres and contact centres, and other business partners such as rental car or travel insurance providers).
For the first time, all businesses will need to notify the regulator if they experience a personal data breach. There are some exceptions, but the general rule is that businesses must notify the regulator of such breaches within 72 hours.
For serious breaches, there is an additional requirement to notify those individuals who are affected by the breach. Generally, there is currently no legal obligation on UK travel businesses to notify the Information Commissioner’s Office of a personal data breach, albeit all businesses are encouraged by the ICO to self-report such breaches.
European data protection regulators are given more extensive powers, including the right to conduct audits (without consent); to order the suspension of data flows; and the one which has got all the headlines – the ability to apply regulatory fines of up to 2% or 4% of annual global group turnover or €10 million/€20 million, whichever is the greater. It is not the case that every business which suffers a GDPR will receive
a regulatory fine, and for those that do, the fine will not necessarily be 2% or 4% or €10 million/€20 million – as with the current regulatory regime, it will depend on the nature of the breach, the sensitivity of the data, the volume of data disclosed and so on.
Current rights – including rights for individuals to see the information which businesses hold about them and to object to direct marketing – are sustained, but they are supplemented with new rights including the right to be forgotten, the right to data portability (to facilitate the switching of data from one service provider to another), and the right to restrict processing. From May 25 businesses cannot charge a fee to those individuals who ask to see the information held about them or for any of the rights under the GDPR which they wish to exercise. Also, in the UK, the timeframe for responding to individual requests reduces down from 40 days to one month, so any existing notices/policies/processes will need to be checked and updated in this respect.
The GDPR isn’t just restricted to the EU – it also applies to companies based outside the EU which promote their goods and services to EU citizens and to companies that monitor the behaviour of EU citizens.
No. Compliance with the GDPR is ongoing – it’s not a race to May 25 and then you’re done. Those businesses that are already familiar with the Data Protection Act (DPA) in the UK and have processes and policies in place to comply with that will find that there is a lot of existing resource that can be reutilised for GDPR compliance purposes. But we would not underestimate the size of a GDPR programme and the resource and time that may be required, particularly for businesses less mature in terms of DPA compliance. Also, don’t assume that this is a “job for legal” – GDPR programmes require multi-disciplinary teams.
The first task is to ensure you have a solid understanding of what is covered by the GDPR – do you know what personal data is? Not just the definition in the GDPR, but in practical terms for your business. Many are surprised at the range of information which may be caught, such as staff data; information such as contact details about suppliers and business partners; and digital information – you don’t need to be able to name the individual for it to be personal data. Webpages that have been visited, items placed in shopping baskets and not checked out, and device and operating system information may all be personal data when linked to a unique device ID.
Once you’ve got that, the next step is data-mapping to assess how much personal data you process as a business, where it comes from, who it is shared with, where it goes in the world, why you use it, how long you hold it for and so on – again, don’t underestimate the time it may take to complete a data-mapping project.
We wouldn’t recommend this as a general approach and there may be very good reasons for not deleting all of your existing databases, for example if customers have told you that they don’t want to receive marketing from you. The better approach would be to conduct your data-mapping, then assess the personal data that you hold and whether you comply with data protection laws, and if not, what steps can be taken to help you to comply.
There is a lot of hysteria around consent, and misreporting that the GDPR requires all businesses to have consent to all processing of personal data – this is not the case and there are other valid grounds for collecting and processing personal data.
However, e-marketing is subject to an additional set of regulations in parallel to the GDPR – broadly speaking, these require businesses to only contact individuals with e-marketing where they have received each individual’s consent to receive e-marketing (this law is also currently being updated, and like the GDPR, will carry the same enforcement regime).
The best thing to do is to implement your data-breach process… which assumes you have thought about the risk of a data-breach before it happens. The best advice is to rapidly contain the breach, that is fix it and stop any personal data being disclosed, if possible. In parallel, you should consider whether you are obliged by law to notify the ICO of the breach – there are exceptions around this if there is a technical breach but the data is unintelligible.
Handling data breaches requires a multi-disciplinary team – your data-breach response and management team and process should be in place and is something that businesses can work on now. The GDPR provides the legal basis and timeframe for notifying the regulator and affected individuals, but this is a process that any business would want to actively manage from the outset.