The 5,500 members of the Tourism and Hospitality Special Interest Group (SIG) of the Institute of Chartered Accountants of England and Wales (ICAEW) were recently surveyed through an online questionnaire to identify topics on which they wished to be advised. GDPR was the highest rated issue. ICAEW requested me as a member of the SIG Committee to write a short case study that might help members and others better direct and manage compliance within companies and clients. But first a reminder….
The General Data Protection Regulation is a regulation by which the European Parliament, The Council of the European Union and the European Commission intend to strengthen and unify data protection for individuals within the EU. The regulation came into force on 24 May 2016 and applies from 25 May 2018, following a two-year transition period. GDPR will apply in the UK and its government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR. Thus, organisations such as yours or your client’s have just nine months in which to ensure that data processing activities are compliant.
GDPR will apply to any business, public authority or charity established in the EU that uses information about living individuals, whether employees, customers or suppliers. It will also apply to any business located outside the EU that offers goods and services to citizens in the EU, or monitors citizens’ behaviour in the EU.
Sanctions for breaches are severe with the maximum fines for non-compliance the higher (the writer’s emphasis) of €20m and 4% of the organization’s worldwide turnover.
GDPR is intended to harmonise data protection laws across the EU by removing the need for national implementation. However, there are some areas that remain unharmonised and in these areas compliance requirements continue from one member state to the next (such as exceptions to data subject rights).
The concept of accountability is at the heart of GDPR rules: it means that organisations will need to be able to demonstrate that they have analysed the GDPR requirements in relation to their processing of personal data and that they have implemented a system or programme that allows them to achieve compliance. It also requires demonstration that data protection receives an appropriate level of attention within an organisation and the implementation of a formal data protection programme.
The legislation imposes several standards upon those organisations to which it applies. It specifies that organisations must not only keep personal information secure, but that they have a duty of transparency towards the individuals to whom the information relates. The GDPR rules apply to almost all private sector data processing by organisations in the EU.
The intention of the UK Government is to maintain standards consistent with the European Union. GDPR will be brought into national law in the UK by way of the Data Protection Bill, and is intended to continue to apply after the UK leaves the EU.
GDPR applies to “personal data”. GDPR’s definition makes it clear that information such as an online identifier – e.g. an IP address – can be personal data. The expansive definition provides for a wide range of personal identifiers to constitute personal data, reflecting changes in technology and the way organisations collect information about people.
For most organisations, keeping HR records, customer lists, or contact details etc, the change to the definition should make little practical difference. GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. Personal data that has been pseudonymised – e.g. key-coded – can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual.
GDPR refers to “sensitive personal data” as “special categories of personal data”. Special categories specifically include genetic data, and biometric data where processed to uniquely identify an individual. Personal data relating to criminal convictions and offences are not included, but similar extra safeguards apply to its processing.
I am the Chairman of the audit Committee of a privately held Irish company with hotel investments in each of Ireland and Spain. Revenues are about €60m and Fixed Assets exceed €110m. I am also a non-executive Director.
8.1 Getting started
As the 2016 external audit process was being completed in the early Spring of 2017, and we were reviewing risks for 2017, the external auditors reminded us of GDPR and we resolved to “do something about it”.
We determined quickly that our lean executive team at Head Office did not have detailed knowledge to address the matter so we asked two independent parties. We formed the view that completion of data protection reviews requires almost exclusively the input of senior experienced professionals who have the relevant business knowledge and experience to complete such an assessment.
By mid-2017, both proposals had been received and we could review and debate the alternative approaches being proposed. In July we decided which approach felt right to us.
8.2 General Approach
The advisory firm (who know our Head Office team as well as the Hotel based management teams at the hotels) were appointed and are half way through a multi stage review.
8.3 Stage 1: Data Requests and Pre-Audit Checklist
This initial phase mapped information processing in the organisation and informed each of the following:
The advisers then requested each hotel and Head Office to complete a pre-audit questionnaire which addressed the data protection principles in Article 5 of the Regulation, recording where the requirements are applicable and, where they are, how they have been met. The questionnaire sought to identify potential weaknesses in the current procedures.
This questionnaire was aimed at those with responsibility for data protection and formed part of the initial health-check of current procedures. It assisted in understanding the full range of data protection issues that are faced when personal data is processed. The advisors requested all policy and procedure documents relating to personal data for review.
8.4 Stage 2: Review Data Environment through Information Provided
The advisory firm reviewed what personal data is collected based on the mapping of information and through information provided by the hotels and Head Office. They reviewed the completed pre-audit questionnaire and identified any weaknesses in compliance. They also reviewed existing data governance through review of:
They discussed specific areas of risk or concerns that may arise, such as:
The advisors assessed each hotel’s (as well as Head Office’s) GDPR readiness and developed preliminary recommendations – all of which will be reviewed by the Audit Committee later this month (September).
8.5 Stage 3: On-site Fieldwork
Following the completion of Stages 1 & 2, the advisers will perform a one day on-site data audit at each hotel.
The on-site testing of processes and systems will include:
8.6 Stage 4: Reporting and Finalisation
The final reports will be issued for management response within 10 working days of the on-site fieldwork and will be reviewed with the Audit Committee prior to the November 2017 Board Meeting
Report Summaries will comprise of the following:
The report will address the following matters
We hope to have about six months after this exercise to implement the findings and thus ensure the hotels and the business are compliant with GDPR by May 2018.
I hope that this description of our journey will be helpful to you to benchmark your own progress.