The new privacy regulation and its impact on business
From May 25, 2018 all businesses in all industries must apply and comply with new European personal data protection legislation. The General Data Protection Regulation of the EU is the greatest regulatory milestone in this field in the last 20 years. It will have a huge impact on the hotel and tourist industry in particular given the volume of personal data that are processed in these areas. The time left to get up to date is running out fast.
The personal data protection regulation currently in place in Europe is more or less demanding according to the country in question, and is the result of the more or less homogenous development of an EU Directive dating back to 1995. In Spain, the well-known LOPD (Personal Data Protection Organic Law) from 1999 imposes, as we all know, very severe penalties (of up to €600,000) for breaches of the obligations with which companies must comply in this area.
The General Data Protection Regulation of the EU (RGPD) constitutes a paradigm change in the way we need to deal with the rights and obligations related to personal data managed by business.
From now on, the formal obligations imposed by the LOPD will disappear (registration of filing systems, drafting of a security document) and will be replaced with obligations that must be complied with effectively; furthermore, compliance must be verifiable.
To give a few examples of the main consequences of the new legislation that will affect this industry in particular, we can start with the change in information that it is necessary to provide to customers (and to employees, or to the data subjects from whom data will be gathered) when asking for their personal data. The RGPD imposes the obligation of informing users about aspects such as what their data will be used for. It will also be necessary to inform users of how to make a data protection-related claim against the company, including the identification of the company’s internal department, the regulator (in Spain, the Spanish Data Protection Agency) or the courts. It will also be necessary to indicate the period during which data will be stored, whether they will be stored outside the EU, or if the company in question will be sending commercial communications. The explanation cannot be merely generic, as frequently occurred until now, but rather, under the new regulation, clear, plain and complete information must be given in relation to all these aspects. In addition to providing this exhaustive information, it is also necessary to obtain the data subject’s express consent and in cases of processing that is not directly related to the service provided, consent must be specific.
Another of the new features of the European regulation is the obligation for companies to draw up and prepare a “processing record”, which is basically a catalogue of all the personal data processing performed by the company, with an analysis of the risks involved in each processing.
This list is required to be drawn up following a procedure called “privacy impact evaluation”.
Also for each data processing at the company it will be necessary to apply two principles, namely “privacy by design” (a privacy risk analysis must be included from the very moment new products and services are designed and defined) and “privacy by default” (also known as the data minimization principle).
Many companies, and especially those that process data large scale (on a mass and ongoing scale) or sensitive data, must appoint a Data Protection Officer, who will be in charge of ensuring, internally, that the legislation is complied with and of answering all the questions raised externally, both by the regulator and by data subjects. The Data Protection Officer must report to the company’s top executives and is under the obligation of notifying any breaches that may have consequences for the persons whose data are being processed. There are other obligations that are too lengthy to list here exhaustively, but it should be borne in mind that the icing on the cake of the entire new system are the penalties, which have increased hugely with respect to the LOPD.
The penalties envisaged in the RGPD go up to €20,000,000 (yes, twenty million) or 4% of the annual global turnover of the previous year (whichever is the highest). At an industry level it is sufficient to use as a basis the annual turnover of tourism in Spain in 2016 (around €74 billion euros) to see the regulatory risk that this industry faces if it does not adapt to the new data protection regulation by May 2018 (2,960 million euros).
It is clear that this is an important change in legislation that will have a direct bearing on the hotel business and the tourist industry in general, in relation to which it is advisable to take decisions immediately. The changes affect internal procedures, definition of the company’s services and products and even the internal organic structure.
Garrigues Corporate Law Department