Ready or Not, Here Comes the GDPR

When attorney Greg Duff — who founded Garvey Schubert Barer’s hospitality, travel, and tourism group — spoke at HSMAI’s Chief Digital Officer Executive Roundtable last month, he offered an insightful, fast-moving overview of “Legal Headlines and Headwinds for Digital Marketers.” He covered a number of topics, but none resonated with more immediacy than the need to prepare for the European Union’s new General Data Privacy Regulation (GDPR)

Going into effect on May 25, 2018, the GDPR will require any company or organization that collects, processes, or holds data related to individuals who reside in the EU to comply with strict privacy and security requirements. That includes hotels outside the EU. How prepared are they for the GDPR? “My personal experience would say that the big brands, the global brands, are all over this,” Duff said in an interview after the CDO Executive Roundtable.

If you’re not feeling prepared for the GDPR, here’s what you need to know right now:

1. Why should hotel owners or operators outside the EU care about the GDPR? Two reasons, according to Duff. One: “If for some reason data about European residents is being collected or generated in the EU and then transferred to the U.S., the GDPR’s going to apply to you.” And two: “If you are a hotelier offering services to EU residents, the protections of the GDPR follow them. For example, if you’re an operator that has global advertising, global marketing, whatever it may be, and you’re seeking to attract EU residents to come to the U.S. and stay in your properties — they come with all of the requirements associated with the GDPR.”

2. Does the GDPR have an enforcement component even outside the EU? Yes — a company can be fined up to €20 million or 4 percent of total global revenue for noncompliance with the GDPR. “The U.S. Department of Commerce has vowed to the EU that they will assist in the enforcement,” Duff said. “Frankly, if they don’t and if the Europeans feel that the U.S. is not living up to its commitments, then the U.S. runs the risk of not having any opportunity to receive this type of data from the EU.”

3. If you haven’t addressed the GDPR yet, what should you do right away? A few things, Duff said. Step one: “It is critical to understand: What data do you collect, and what do you do with it?” Step two: “Find a knowledgeable resource to help you. If nothing else, it may mean making sure that your website has been reviewed and updated to reflect these new requirements.’” Step three: “This would be, ‘Now we need to be concerned about all our vendors and suppliers and what they’re doing. How do we tackle them?’”

More than anything, you need to make sure that your entire team is not just aware of the GDPR, but actively coordinating their efforts to comply with it. “There’s many times a disconnect between the people charged with drafting privacy policies versus those that actually are responsible for managing the data,” Duff said. “It’s interesting the number of times that those two sides don’t talk.”

About Greg Duff

Greg Duff of Garvey Schubert Barer founded the firm’s international Hospitality, Travel and Tourism practice. Greg’s personal practice is dedicated to a variety of hospitality operational and technology matters, including sales and marketing, e-commerce, distribution, technology transactions and procurement. Prior to joining Garvey Schubert Barer, Greg served in-house legal roles with Westin Hotel Company/Starwood Hotels and Resorts, Group and Columbia Hospitality. Greg serves as counsel and legal advisor to many of the hospitality industry’s local, state and national trade associations and trade groups, including AH&LA, HSMAI and HFTP. He also serves as an adjunct faculty member of the University of Washington School of Law teaching courses on hospitality law.

Insight Type: