24 May GDPR Advice for Retail and Hospitality Businesses

GDPR is on everyone’s lips recently. For many, it’s because they’re receiving a daily deluge of emails looking for their attention to review and consent to why businesses are processing their personal information. From Facebook & Google to recruitment agencies and the providers of tools that you use to manage your business (hosting, payments, marketing, finance…the list goes on…). Often, these mails can be from companies you’ve forgotten that you (and in some cases never did) have a relationship with, which raises the point – should these businesses have your information in the first place?

With all these messages clogging up my inbox, it became apparent that they were from certain types of businesses and that GDPR related messaging from some were conspicuously absent. Businesses from the food and beverage, accommodation and travel & retail sectors have spared adding to the GDPR consent fatigue I’ve been feeling in recent weeks. And maybe that’s a good thing. After all – if they have been meeting much of the data protection legislation already in place there may be no need to pull me away from my afternoon coffee and ask me to consent purely as an exercise in demonstrating that they’re busy doing something about GDPR. If that’s the case it’s very much appreciated!

I’m not so sure that tells the whole story though. These sectors have the same challenges as anyone else, and in many cases have a bigger mountain to climb than solely-online providers as they need to consider information management outside of the digital realm.

In this article I’ll look at common areas that fall under scope of GDPR for these types of businesses.

Communications

Let’s begin by looking at the reason that many have been reaching out – to stay in touch with you with marketing communications. The GDPR says that information must be processed lawfully. There are several lawful bases that the GDPR allows personal information to be processed under. In the case of electronic marketing communications (the ePrivacy Directive also comes into play here) there two bases that companies will be processing under most often:

• Customers consented to receiving your communications (consent-based processing)
• There is a legitimate interest present for both the business and the receiving individual (legitimate interest-based processing)

Consent is a demonstrably easier one to stand over – the individual explicitly gave you their information for the purposes you are reaching out to them. Legitimate interest is a balance test and will usually only pass muster if the individual has previously bought a product or service from you and you are contacting them for a related reason. This is called soft opt-in. Importantly, they should have been given a chance to object to you processing their data on this basis (i.e. opt-out of it), at the point you collected their information in the first place and at every communication since that point (those little unsubscribe links in the footer of emails). Businesses have been assessing whether they have a valid basis to continue such communications and if not, have been reaching out to get on a firm footing prior to May 25th.

Products & Services

If for example, you’re a hotel or retail operation, you are delivering products and services to your customers. This involves your customers agreeing to a contract (e.g. Terms and Conditions) for the provision of those products and services. In preparation for GDPR, you should review the personal data that you are collecting to fulfil these contracts. Ensure that you have a lawful basis to collect and process the information.  If you are collecting information beyond what it necessary for the performance of the contract, you need a lawful basis for this and in most cases that will be consent-based (e.g. marketing communications). Information you are collecting for other purposes should be clearly separate from what you are collecting to fulfil the contract.

You have an obligation to collect only the information you need now and not to collect more than needed on the basis that you may use it in the future. This is the principle of data minimisation and you should make efforts to ensure that you are meeting it.

For information that you are collecting, consider how long you need to retain it. In the case of retail transactions there is a statutory obligation in Ireland to maintain records for Revenue purposes up to 7 years from the date of the transaction. Where a retention period is not covered by a statutory obligation, you should be setting it based on a demonstrable business need to retain it and beyond that point it should be removed. Hotels often require copies of identification documents such as passports. Retention periods should be set and enforced on this data.

In many cases it may be reasonable to have a retention period of between 12 and 24 months but you should assess this as it relates to your business and your existing relationship with that customer.

Payments

The payments sector has been subject to the Payment Card Industry Data Security (PCI DS) standard for some time now and any business accepting card payments should be PCI compliant. The GDPR is another regulatory hurdle to meet when processing data that can pose a risk to individuals. Businesses should ensure that they use a system that supports tokenisation of payment details which in effect brings that data out of the scope of GDPR as the ‘token’ that is returned to the retailer is not considered personal data. This can significantly de-risk the business should it ever have to deal with a data breach event.

There can however, often be a weak link in the chain when a business manually collects payment details before inputting them into a PCI compliant system. This is often the case in the hotel sector for instance. Taking card details over the phone for bookings, depending on the staff training, policies and procedures in place at the company, is an opportunity for this high-risk data to escape the protections that should cover it. How many times do you hear that your calls may be recorded for “training and quality purposes” when you call a hotel during which you are giving out your payment details? How are those recordings managed? for how long are they stored? and who has access to them? How are those details processed over the phone? – are they entered directly into a terminal for processing? or are they written down for later processing? What are the protections in place on the terminals where they are processed?

When it comes to small businesses, the POS environment used to process payments may be connected to a computer that wears many hats within that business. It could also be used to manage communication with customers, send personal emails etc. Procedures for keeping PC’s up to date with anti-virus and anti-malware protections come in to play here.

Security

You should be thinking about how you maintain the integrity and confidentiality of the personal information that you collect. It’s one of the data protection principles (Art. 5 GDPR), and many of the other principles complement each other in achieving these aims.

• Data Minimisation – Only collect the information that you need. This helps lower your risk.
• Storage Limitation –  You can’t lose what you don’t have. If you don’t have a business need for the information (which should be covered by a lawful basis to process it) or a legal obligation to maintain it, then delete it. If it’s paper-based – shred it!
• Integrity & Confidentiality – Maintain appropriate controls and protections (not only electronic-based) on the information you process. Limit who has access to it to those that need to.

Most businesses need computers and devices to carry out their operations. Think about the controls you have in place on these:

• Is their security kept up-to-date (operating system software, antivirus, anti-malware)?
• Are USB ports locked down?
• How do you retire old assets (computers, company phones etc. that are past their prime for the business but that you may sell on to a third party or dispose of)? Is there a documented procedure in place that is followed?
• Controlled access to areas where personal information is stored – do you have lock-rooms and secure cabinets for hard-copy filing?
• Do you have encryption in place on your devices? The biggest contributor to data breaches is accidental loss.
• Have a website? You likely collect personal information through it. Ensure you have appropriate security (e.g. TLS) and maintenance contracts in place that keep the software, often a content management system (CMS) like Umbraco or WordPress, and the plugins that are used, up to date.

Your Customers’ Rights

The GDPR confers several rights to individuals. Not all of them are absolute rights, and in some cases, you’ll have a legal obligation that outweighs their right, but in many cases, you will need to have procedures in place to facilitate them.

Be transparent

A good place to start is in being transparent with how you collect and process personal information. You should be reviewing your privacy statements, explaining the lawful basis you collect under, how you process information and what your customers rights are after they have given you their data. Look at the ICO’s guide to Privacy Notices and Transparency for pointers.

Review your customers’ rights and put in place procedures to be able to fulfil them. Some have defined timeframes for turnaround. Subject Access Requests (SAR’s) for example, should be responded to within 30 days.

Data Breaches

Most data breaches are perpetrated by maliscious outside attackers. Interestingly though, it is accidental loss that is responsible for the largest amount of breached records (Breach Level Index 2017 Report). Something with which a few changes to how business is done, risk can be lowered significantly.

Breach incidents by industry – 2017 – Breach Level Index

Hacking & malware are the two biggest threats that lead to data breaches. Social engineering and phishing (emails that trick the receiver into revealing sensitive information that can lead to a data breach). 10% of phishing attacks result in a breach. One in ten. That’s something to think about.

It’s very hard to put controls around people. People are human after all and humans make mistakes. In Hotel and Retail, people are also your biggest asset. They need to be equipped with the knowledge and the tools to do their job and protect the information they come in to contact with. Awareness training for new and existing employees is essential. It needs to be formalised, made part of your procedures no matter how small you are. There needs to be a culture of data protection. The good news is that the effort is often relative to the scale of processing and the size of your business. You can be a small business but if you are handling people’s personal information there are obligations that need to be met.

Plan your response

Put a plan in place to deal with a data breach. This will involve a procedure covering the following steps:

1. Containment – Contain the data breach to prevent any further compromise of personal information.
2. Assessment – Assess the data breach by gathering the facts and evaluating the risks, including potential harm to affected individuals and, where possible, taking action to remediate any risk of harm.
3. Notification – Notify individuals and the data protection authority if required. Under GDPR, you have 72 hours from the point of becoming aware of the breach to do this.
4. Review – Review the incident and consider what actions can be taken to prevent future breaches.

Review your suppliers

Often, the personal data you collect doesn’t always stay within your control. You may use third parties to manage it (under GDPR these are known as data processors, whereas you are most likely the data controller). You may use a payments processor, a marketing campaign provider, a CRM to manage your contacts or an external booking engine to take reservations. All of these are third parties and you have an obligation to make sure that they can demonstrate compliance. There should be a data processing agreement (DPA) in place between you and your provider, laying out how they are expected to process the information that you share with them. You should be aware too, if any of the personal data that you manage or share with processors will end up outside of EU jurisdiction. There are mechanisms where this is acceptable under GDPR and you should review these options, but where possible, you should minimise risk by ensuring that it stays within the EU.

Your staff

Needless to say – your employees’ personal information is still personal information and it falls in scope of the GDPR. Some of the employee data you handle will be covered by legislation (e.g. retention periods for wage information & parental leave records etc.) and you should review how you process it with this in mind. You may be engaging with third parties to provide payroll services –  do your due diligence on them – ensure you have a contract with them for how they can process the personal information of your employees.

Train your staff – I’m coming back to this one again, but it is so important – Data Protection Awareness Training is an essential part of embedding a culture of data protection within the business. Have it in place to onboard new employees, train existing ones, refresh it on a regular basis. Being able to demonstrate you took such measures will stand to you and deliver instant returns on that investment.

What to do if you haven’t started already?

Some businesses have been planning for the arrival of GDPR for a while, others have been busy just keeping busy and may not have had the resources or the inclination to start until now. GDPR is here to stay and there will be more legislation coming down the line that will further build out the data protection frameworks that businesses need to comply with. Some may see this as an insurmountable challenge – I can assure you it’s not. A lot of it is common sense. It’s not something you need to deliver in a big-bang moment of compliant fireworks, but it is very much an ongoing journey for what needs to be the new business-normal. So as many are panicking and racing towards the perceived finish line of 25th May, take a deliberate first step on your journey towards compliance and keep on moving forward. You don’t have to be compliant to start… but you do have to start in order to become compliant.

Need help? – We’re here to get you on the right path and walk that journey with you. You can reach me at serveit.com.

Alan is a Data Protection Officer with Fort Privacy and helps businesses realise their web presence goals with custom CMS implementations built to your business needs using data protection by design on the Umbraco CMS platform. More information at ServeIT.com