GDPR is the looming ‘General Data Protection Regulation’. The regulation came into force on 24 May 2016 and applies from May 2018. All businesses have to comply with it. There are just 250 days left… In this piece we look at tourism businesses and GDPR.
The Institute of Chartered Accountants of England and Wales (ICAEW) recently survey 5,500 members of their Tourism and Hospitality Special Interest Group (SIG). GDPR came out as the most requested topic for further information. Some of the points in this article are taken from one of the case studies which they provided to members.
Jones Harris is a member of the ICAEW. In fact we are also the only registered ATOL accountant in Lancashire, and we have a length and breadth of experience in the tourism and hospitality industry. So much so, we are sponsors at this year’s Marketing Lancashire Tourism Awards.
On that basis, we thought we should point out that tourism and hospitality businesses need to take GDPR seriously. That’s everyone, from the very small B&B upwards.
Just to clear one point up – the government has confirmed that Brexit will make no difference to the implementation of GDPR.
Headline points about Tourism Businesses and GDPR
“GDPR applies to any business, public authority or charity established in the EU that uses information about living individuals, whether employees, customers or suppliers. It also applies to any business located outside the EU that offers goods and services to citizens in the EU, or monitors citizens’ behaviour in the EU.
“Sanctions for breaches are severe with the maximum fines for non-compliance of €20m and 4% of the organization’s worldwide turnover.
You’re probably wincing at the prospect. Most businesses are. You’re also probably wondering why it’s coming into force.
The Purpose of GDPR
The purpose of GDPR is to make data protection laws equal across Europe because at the moment they aren’t.
It’s designed to make your business think about the way in which it uses data, and be accountable for what you do with it. You should be able to demonstrate that you have reviewed GDPR rules. That you have understood how they apply to your business, and implemented a system that enables you to comply. You need to be able to prove that data protection gets proper attention in your business.
Of course it also determines that you must keep data secure. But you also have a ‘duty of transparency’ to the individuals to whom the information relates.
What is ‘Data’?
This information is taken from the ICAEW case study:
“GDPR applies to “personal data”. GDPR’s definition makes it clear that information such as an online identifier – e.g. an IP address – can be personal data. The expansive definition provides for a wide range of personal identifiers to constitute personal data, reflecting changes in technology and the way organisations collect information about people.
“For most organisations, keeping HR records, customer lists, or contact details etc, the change to the definition should make little practical difference. GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. Personal data that has been pseudonymised – e.g. key-coded – can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual.
“GDPR refers to “sensitive personal data” as “special categories of personal data”. Special categories specifically include genetic data, and biometric data where processed to uniquely identify an individual. Personal data relating to criminal convictions and offences are not included, but similar extra safeguards apply to its processing.”
Where do you Start?
Carry out a review of what you are already doing. And document it.
Ask yourself these questions:
- Why are we holding the data?
- How did we obtain it?
- Why was it originally gathered?
- How long will we retain it?
- How secure is it, both in terms of encryption and accessibility?
- Do we ever share it with third parties and on what basis might we do so?
- What statements do we already provide to the public regarding collection and storage of data?
- Look at your existing policies and procedures relating to data collection and storage
When you’ve done all of that, look at how what you actually do in relation to your tourism business and GDPR, and where you need to do things differently.
At this stage you might need to ask for professional help. You might feel that your staff will need training. Here at Jones Harris we can help to sign post you to organisations and consultants who can help. As a business which relies on technology we have been working on our own GDPR strategy for a long time, so we know how you feel.
Get the latest updates
Make sure that you’re following our website and sign up for the Jones Harris enewsletter here