250 days left to comply with General Data Protection Regulations (GDPR)

  1. Background

The 5,500 members of the Tourism and Hospitality Special Interest Group (SIG) of the Institute of Chartered Accountants of England and Wales (ICAEW) were recently surveyed through an online questionnaire to identify topics on which they wished to be advised. GDPR was the highest rated issue. ICAEW requested me as a member of the SIG Committee to write a short case study that might help members and others better direct and manage compliance within companies and clients. But first a reminder….


  1. What is GDPR?

The General Data Protection Regulation is a regulation by which the European Parliament, The Council of the European Union and the European Commission intend to strengthen and unify data protection for individuals within the EU. The regulation came into force on 24 May 2016 and applies from 25 May 2018, following a two-year transition period. GDPR will apply in the UK and its government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR. Thus, organisations such as yours or your client’s have just nine months in which to ensure that data processing activities are compliant. 

GDPR will apply to any business, public authority or charity established in the EU that uses information about living individuals, whether employees, customers or suppliers. It will also apply to any business located outside the EU that offers goods and services to citizens in the EU, or monitors citizens’ behaviour in the EU. 

Sanctions for breaches are severe with the maximum fines for non-compliance the higher (the writer’s emphasis) of €20m and 4% of the organization’s worldwide turnover.


  1. Why do we need GDPR?

GDPR is intended to harmonise data protection laws across the EU by removing the need for national implementation. However, there are some areas that remain unharmonised and in these areas compliance requirements continue from one member state to the next (such as exceptions to data subject rights).


  1. Accountability

The concept of accountability is at the heart of GDPR rules: it means that organisations will need to be able to demonstrate that they have analysed the GDPR requirements in relation to their processing of personal data and that they have implemented a system or programme that allows them to achieve compliance. It also requires demonstration that data protection receives an appropriate level of attention within an organisation and the implementation of a formal data protection programme.


  1. Duty of transparency to guests, customers, staff and suppliers

The legislation imposes several standards upon those organisations to which it applies. It specifies that organisations must not only keep personal information secure, but that they have a duty of transparency towards the individuals to whom the information relates. The GDPR rules apply to almost all private sector data processing by organisations in the EU.


  1. BREXIT does NOT mean the UK companies are exempt

The intention of the UK Government is to maintain standards consistent with the European Union.  GDPR will be brought into national law in the UK by way of the Data Protection Bill, and is intended to continue to apply after the UK leaves the EU.  


  1. What information does GDPR apply to?

GDPR applies to “personal data”. GDPR’s definition makes it clear that information such as an online identifier – e.g. an IP address – can be personal data. The expansive definition provides for a wide range of personal identifiers to constitute personal data, reflecting changes in technology and the way organisations collect information about people. 

For most organisations, keeping HR records, customer lists, or contact details etc, the change to the definition should make little practical difference. GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. Personal data that has been pseudonymised – e.g. key-coded – can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual. 

GDPR refers to “sensitive personal data” as “special categories of personal data”. Special categories specifically include genetic data, and biometric data where processed to uniquely identify an individual. Personal data relating to criminal convictions and offences are not included, but similar extra safeguards apply to its processing.


  1. Case Study

I am the Chairman of the audit Committee of a privately held Irish company with hotel investments in each of Ireland and Spain. Revenues are about €60m and Fixed Assets exceed €110m. I am also a non-executive Director. 

8.1 Getting started

As the 2016 external audit process was being completed in the early Spring of 2017, and we were reviewing risks for 2017, the external auditors reminded us of GDPR and we resolved to “do something about it”. 

We determined quickly that our lean executive team at Head Office did not have detailed knowledge to address the matter so we asked two independent parties. We formed the view that completion of data protection reviews requires almost exclusively the input of senior experienced professionals who have the relevant business knowledge and experience to complete such an assessment. 

By mid-2017, both proposals had been received and we could review and debate the alternative approaches being proposed. In July we decided which approach felt right to us. 

8.2 General Approach

The advisory firm (who know our Head Office team as well as the Hotel based management teams at the hotels) were appointed and are half way through a multi stage review. 

8.3 Stage 1: Data Requests and Pre-Audit Checklist

This initial phase mapped information processing in the organisation and informed each of the following: 

  • Why are we holding the data?
  • How did we obtain it?
  • Why was it originally gathered?
  • How long will we retain it?
  • How secure is it, both in terms of encryption and accessibility?
  • Do we ever share it with third parties and on what basis might we do so?

The advisers then requested each hotel and Head Office to complete a pre-audit questionnaire which addressed the data protection principles in Article 5 of the Regulation, recording where the requirements are applicable and, where they are, how they have been met. The questionnaire sought to identify potential weaknesses in the current procedures.

This questionnaire was aimed at those with responsibility for data protection and formed part of the initial health-check of current procedures. It assisted in understanding the full range of data protection issues that are faced when personal data is processed. The advisors requested all policy and procedure documents relating to personal data for review.


8.4 Stage 2: Review Data Environment through Information Provided

The advisory firm reviewed what personal data is collected based on the mapping of information and through information provided by the hotels and Head Office. They reviewed the completed pre-audit questionnaire and identified any weaknesses in compliance. They also reviewed existing data governance through review of: 

  • Policies & procedures; and
  • Roles & responsibilities

They discussed specific areas of risk or concerns that may arise, such as:  

  • Where breaches might occur;
  • Anything raised as a concern previously;
  • New concerns; and
  • Any sensitive personal data that it is at risk e.g. medical data, staff visas, etc.

The advisors assessed each hotel’s (as well as Head Office’s) GDPR readiness and developed preliminary recommendations – all of which will be reviewed by the Audit Committee later this month (September).


8.5 Stage 3: On-site Fieldwork 

Following the completion of Stages 1 & 2, the advisers will perform a one day on-site data audit at each hotel. 

The on-site testing of processes and systems will include:

  • Interviews and relevant system reviews to consider the implementation and operation of policies and procedures documented
  • On-site walk through of systems
  • Sampling – sample transactions to ensure processes and procedures are operating as documented
  • Visual inspections
  • Examination of uses of personal data
  • Physical inspection of security procedures
  • Other procedures as deemed necessary


8.6 Stage 4: Reporting and Finalisation

The final reports will be issued for management response within 10 working days of the on-site fieldwork and will be reviewed with the Audit Committee prior to the November 2017 Board Meeting

Report Summaries will comprise of the following: 

  • Overall level of assurance
  • Areas where compliance and governance are lacking;
  • Recommendations for remediation.

The report will address the following matters

  • Training and awareness;
  • Data collection/creation and use;
  • Data storage & security;
  • Data subject rights;
  • Data retention & deletion;
  • Data disclosures & communications; and
  • Overall GDPR readiness plans.


8.7 Conclusion

We hope to have about six months after this exercise to implement the findings and thus ensure the hotels and the business are compliant with GDPR by May 2018.

I hope that this description of our journey will be helpful to you to benchmark your own progress.