The EU General Data Protection Regulation, GDPR, comes into effect on the 25th May 2018 and replaces the existing Data Protection Act (DPA) of 1998.
You will have heard lots about this topic from various vendors and you might feel frustrated by the messages being given and find it hard to relate these to your business.
By reading this white paper, you will begin to understand the scope of GDPR within the leisure travel sector and the risks your business faces.
Understanding the risks of doing nothing
On the surface, GDPR can be seen as an evolution of the DPA and not a massive change. This is essentially true with the exception of two key areas; the increase in corporate risk brought about by the potential of extremely large fines for non-compliance or a breach and the requirement to notify individuals who may have been compromised.
These changes in corporate risk are the most important driver which will ensure compliance. The maximum fine under the DPA is £500,000. The maximum fine under GDPR will be £20,000,000 or 4% of global turnover, whichever is greater.
Add to this the increased risk of reputational damage and compensation claims and it becomes almost impossible to determine what the true cost will be.
It is unlikely that many companies will be fined at the upper end of this new range in the early days of this legislation but, as the risk does exist, expect your insurance companies to start asking detailed questions about what you are doing to mitigate the risk of GDPR.
Where do you start?
The first point to realise is that the Data Controller and Data Processor are expected to be able to demonstrate compliance through accountability. Proving accountability requires auditable evidence created through the application of appropriate organisational and technical measures.
Right from the start of your GDPR journey make sure that you maintain clear records of everything you do because, if you don’t get into good habits from the beginning, it will really hurt further down the road as you go back to plug the holes you left behind.
You must start by identifying and documenting all information you hold concerning Data Subjects. ATCORE recommends the 4Ws approach. There is a simple rationale behind the 4W process – you need to know where your personal data is, to be able to protect it.
What are you holding? - Identify all personally identifiable information (PII), about Data Subjects which you hold. This is typically items such as name and address, telephone numbers, date of birth and may even include passport number.
Remember that items such as network addresses are classed as PII as they can be matched with other data sets to identify the individual.
Why do you hold it? – Many organisations find at this stage that they hold lots of information which is never used. If you don’t have a reason for holding the data, consider getting rid of it.
Where is it held? –This might for instance be in your reservation system, CRM system or just in copies of invoices in PDF format within the normal file structure of a disk drive.
Who is responsible for it? - This is a key role in ensuring that rules are being followed when handling the data and also provides an identified contact should a non-compliance event occur.
Collectively, these resources once identified are usually referenced as the Information Asset Register.
Data protection by design and by default
A key requirement of GDPR is the implementation by the Data Controller and any Data Processors of data ‘protection by design and by default’. The legislation requires the demonstration of compliance through Accountability which in turn is proven via Appropriate Organisational and Technical Measures.
It is the responsibility of the Data Controller and Data Processor to ensure that they have implemented appropriate organisational measures. In addition, the Data Controller is responsible for ensuring that the Data Processor understands their responsibilities under the legislation and is taking appropriate measures to comply.
It is the responsibility of the Data Processor to ensure that if data processing is outsourced to a secondary Data Processor, then they must understand their responsibilities under the legislation and take appropriate measures to comply. Furthermore, should the Data Controller behave in a manner which the Data Processor considers not in line with GDPR, then they are required to communicate this non-compliant activity to the Data Controller.
Appropriate organisational measures
Appropriate organisational measures are all about policies and procedures. A short list of some of the most important is shown below with a brief description .
Information Security Policy – this is the cornerstone of your approach to information security. Its aim is to act as an index into the policies and procedures applicable to the company and to ensure that personnel have a clear understanding of how this applies to them. Personnel should be expected to sign that they accept the information security policy when joining the organisation and at least annually thereafter.
Acceptable Use Policy – make sure that all personnel understand what they may or may not do when using company resources or acting on behalf of the company.
Data Classification Policy – Make sure that it is clear how data is classified. Unless personnel are clear on what is and isn’t confidential they cannot act accordingly.
Data Retention Policy – Justify how long data can be kept and remove data past this period as required.
Change Management Procedure – Make sure that you track any change. This should include processing requests made by a Data Controller for their Data Processor and, of course, any changes made to the infrastructure used within the company.
User Management Procedure – Last but not least, ensure that when an individual joins, leaves or changes roles within the company, the steps taken to provide access, remove access or change access are clearly understood and any changes required are clearly documented.
Appropriate technical measures
It is important to acknowledge that there is no guidance from the EU WP29 (working party) which defines an acceptable compliance scheme.
Potentially you could use the ISO 27001 (Information Security Management System) or PCI DSS (Payment Card Industry Data Security Standard) standards to demonstrate your compliance, but in time you may need to adopt an alternative standard once the EU WP29 makes its recommendations.
Regardless of the approach you take, you will need to implement a secure IT environment which will cover the use of firewalls, network segmentation, server hardening, patching, centralised log management and user access controls to name but a few.
The quality of these measures will be used to determine the level of fine that will be levied should a data breach occur.
Anonymisation
Personal data rendered anonymous in such a manner that the Data Subject is not, or is no longer, identifiable, is considered out of scope for GDPR. Personal data which has passed its data retention period, which no longer satisfies the requirements of lawful processing (live data copied to test systems) or is subject to a right of erasure request must be made anonymous or removed completely.
Pseudonymisation
This is the technique of minimising the amount of PII data used so that the Data Subject is able to uniquely identify them self, whilst ensuring that an individual within the Data Controller or Data Processor does not have the details required to fully identify the Data Subject.
An example of this technique is capturing the last four digits of the phone number and the last three digits of the postcode for searching in conjunction with the Data Subject’s surname. Using these fields is likely to be unique, but the data collected remains non-identifying.
Encryption
Encryption is a technique which makes personal data unreadable. In order to read the data, the reader must have authorised access to the encryption functionality and keys so that it can be converted back to the original text.
Encryption is important as it significantly reduces the risk associated with a data breach, as the data cannot be read. Encryption negates the need to communicate with the Data Subjects should a breach occur and would significantly reduce the scale of any fine levied because of a breach.
Lawfulness of processing
Processing is considered lawful if the Data Subject has a contract with the Data Controller or has freely given consent.
The processing of personal data necessary for the purposes of preventing fraud constitutes a legitimate interest, and is therefore also considered lawful.
In order to demonstrate that you comply with the lawfulness of processing requirements, you will need to demonstrate that you fully understand when a contract applies, the level and period of consent provided by a Data Subject, and how you apply your fraud processing.
Remember also that the personal data can only be used for the purpose for which it was collected. Possibly the greatest impact of this requirement will be that you cannot use the personal data of a Data Subject in a test system.
Contract
A contract or information required to enter into a contract are a lawful basis for the processing of personal information. The lawful basis applies to all aspects relevant to the fulfilment of the contract but nothing more.
A holiday booking constitutes a contract.
Legitimate interest – fraud
Protecting against fraud provides a legitimate interest approach to process personal information. After much discussion, this is a common justification to keep booking related personal information for an extended period post booking where expected data retention determines that the contract no longer offers a lawful basis for processing.
Examples of areas this may cover are injury or food poisoning claims extended periods after the booking has been fulfilled.
Consent
This is the catch all to provide a basis for the legal processing of personal data. In essence this is covered by the traditional tick box approach but there are some new caveats;
Asking for consent
- Consent boxes cannot be pre-ticked
- Use clear, plain language this is easy to understand
- Specify the reason you are asking for consent and what you intend to do with the personal data
- Make sure that you name your organisation and any third parties who may be involved
- Consent is not a precondition of a service
Recording consent
- Record when and how consent was gained
- Keep a record of the reasons you gave for collecting the personal data
Managing consent
- Regularly review consent to check that the relationship, processing and purpose have not changed
- Put in place a process to refresh consent at appropriate intervals
- Allow data subjects to withdraw consent at any tine and publicise how to do so
- Act on withdrawal requests in a timely manner and don’t penalise data subjects who withdraw their consent
Data retention period
The GDPR requires a Data Controller not to keep data longer than is necessary for the purpose for which it was collected. You must have clearly documented data retention periods relevant to the personal data you hold.
You may have two levels of data retention period:
Contractual data - contractual data must be retained for the purpose of fulfilling all aspects of the contract and may be extended based on legitimate interest such as the prevention of fraud and tax or corporate reporting legislation.
Consent data – as a Data Controller, it is for you to define how long consent from a Data Subject can be maintained. The requirements of the legislation which prevents auto opt in, requires clear terms & conditions, and that the data is kept up to date, so prevents open consent periods.
Whilst there is no EU WP29 guidance on this subject, the ICO has issued a consultation document which states that the GDPR reflects a more dynamic idea of consent as compared to the DPA. Consent is seen as an organic, ongoing and actively managed choice by a Data Subject, and not simply a one-off compliance box to tick and file away.
Once the final data retention period has passed, any personal data must be anonymised or deleted.
Data Subject rights
Right of access for the Data Subject
The Data Subject has the right to obtain from the Data Controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, a copy of the personal data will be provided in a paper form or a commonly used electronic form, most likely a PDF report.
The Data Controller is responsible for ensuring that the Data Subject is correctly identified.
Right of data portability
The Data Subject has the right of portability for the personal data they provided to the Data Controller. It is expected that this will be an XML or similar data feed based on the same data as used within the right of access request.
Whilst data such as a booking itinerary would need to be included in this request, data concerning itinerary elements, such as a hotel description or photographs, which were not provided by the Data Subject, are not considered part of this requirement.
Right to rectification and erasure
The Data Subject has the right to have incorrect personal data corrected and if applicable, have incomplete personal data completed.
The Data Subject has the right to obtain from the Data Controller the erasure of their personal data, subject to conditions laid out in lawfulness of processing. Erasure of consent and profile data concerning a Data Subject should be immediate. However, removal of data concerning a contract is subject to the data retention period and legitimate interests as discussed earlier.
Revised information security Terms and Conditions
As a Data Controller you are required to ensure that you have contractual terms with any of your Data Processors which must cover the requirements of the GDPR and to ensure that the Data Processor understands their obligations when acting on your behalf.
As a Data Processor, you are required to ensure that you have contractual terms with any of your secondary Data Processors which must cover the requirements of the GDPR and ensure that the secondary Data Processor understands their obligations when acting on your behalf.
These will be substantially different to existing DPA terms & conditions.
