GDPR arrives: The known unknowns

Unless you’ve been on a distant planet lately, you’ve likely have heard about the new General Data Protection Regulations (GDPR) of the European Union, which have come into effect as of May 25. This new set of regulations by the EU sets forth strict guidelines for the use and treatment of an individual’s personal data (regardless of whether that individual is a consumer or an employee), addresses marketing activities, and provides for specific rights of individuals as it relates to their data.

(Getty Images)
(Getty Images)

Over the past year, I have had various discussions as companies have prepared for GDPR. I’ve seen a wide range of undertakings, and have listened to many debates about how the new regulations may be interpreted and enforced. Interestingly, a global survey of 1,600 organizations by WatchGuard Technologies found that 37% of respondents simply don’t know whether their organization needs to comply with GDPR, while 28% believe they don’t need to comply at all. Very simply, if you manage data for, or have customers whom reside in the EU, you are required to comply.

Given that many of these regulations are somewhat vague, and no case law has yet to be ruled on, it’s interesting to see the different approaches being taken. Some companies have spent countless hours (and dollars) in an effort to be in “compliance” from day one, while others believe that the simple act of “attempting” to comply will be enough of a “get out of jail card,” especially in the early days.

There are several issues that, while seemingly clear, could pose some interesting challenges in how they are complied with.  For example:

  • The Privacy and Electronic Communications Regulations (PECR) sit alongside the Data Protection Act, and give specific privacy rights in relation to electronic communications, cookies (and similar technologies), security, and customer privacy as regards to traffic and location data, itemized billing, line identification, and directory listings. While there are several methods to obtain consent, under the new regulations there is a much higher threshold to meet, and PECR also requires the retention of that record of consent.
  • Companies must be able to provide evidence of clear and affirmed consent that is specific to the marketer and the method of communication. How will these records be recorded, tracked and be able to be produced, if required?
  • The regulations also refer to data that is required as “necessary for the performance of a contract”.  For example, personal data that is processed to provide information about a reservation.  Could fulfilling that contract also include a series of pre/post arrival communications? The language is rather vague and could be debated about what is necessary. For example, is it “necessary” to a have post stay survey in order to fulfill a reservation contract?

Personal data may be processed if the “controller” has a legitimate interest in processing the data AND if the legitimate interest is not overridden by the rights or freedoms of the individual. Legitimate interests include processing for direct marketing purposes, preventing fraud and processing for the purposes of ensuring network and information security. The challenge is that the assessment of legitimacy is carried out on a case-by-case basis.

In addition, processing special categories of data such as racial or ethnic origin, political, religious or philosophical beliefs, sexual orientation, or health data (to name a few), require explicit consent. You should be aware that you are actually processing sensitive data when someone provides information for wheelchair assistance for airline boarding, or provides allergy information when making restaurant reservations or requests special bedding for hotel reservations.  How will this data be segregated from other personal data?

It is still to be seen how advertising platforms such as Facebook or Google will address this particular issue for their advertising platforms.

  • And last, but certainly not least, is the right to be forgotten. While the PECR addresses issues such as consent for marketing, the GDPR provides an individual with a right to have their profile deleted and to be forgotten for all systems. This is likely the most onerous of all the regulations, as it requires companies to map out all systems where the individual’s data may have been processed.

Taken at heart, this would require companies to be able to track where an individual’s data may reside (for example, in Excel or Word documents, report extracts, etc.), and be able to map, track, and verify other systems that store or process member data (both internal and through contracted third parties).

The regulations are vague as to what is an acceptable period for storing personal data where it is accessible by multiple people, as well as whether such data can be stored for other internal purposes such as fraud detection. This is where initial case law will provide clarity but as of today, it is open to interpretation, and I am aware of various approaches by different companies.

For many companies, especially small to mediums sized ones such as independent hotel companies and individual owner/operators, GDPR may seem onerous. However, it would be unlikely that in the early days the EU would try to make an example of any company that has, in good faith, taken steps to comply. Certainly the ones that might be on the radar would be the large scale data processors. That said, it is essential that any company which has even one customer that resides in the EU has a basic understanding of GDPR/PECR and, at the very least, should challenge their technology providers to certify compliance with this new directive.


 Contributed by Flo Lugli, principal, Navesink Advisory Group, Fountain Hills, Arizona