The View From Europe: The hidden cost of not complying with EU Data Rugulations
Normally the private sector tends to respond to change far faster than the public sector. This is because it is bottom line oriented, has an impatient electorate in the form of shareholders who can vote by disinvesting at any moment. Moreover, they know that certain kinds of failure can result in reputational damage or personally punitive legal action.
It is therefore surprising in a region where many companies depend on the Internet to market and transact business, how slow they have been to recognise and respond to new European data legislation governing how they handle the information they hold on EU citizens.
On May 25 a European Union law, the European Union General Data Protection Regulation (GDPR), came into force. The two-year-old regulation provides advanced levels of protection to EU citizens in relation to the personal data that any company anywhere might hold on individuals.
While the GDPR does not restrict companies from using the data they hold, it provides EU citizens with legally enforceable rights about how their personal information is handled.
In outline, the GDPR requires: all entities whether in Europe or internationally who hold the data of European citizens to obtain their consent for its processing; collected data to be anonymised to protect privacy; that clients are notified of any data breaches; and that companies guarantee the safe handling of data transfer across borders. Failure to observe its terms could lead in the most serious cases to fines of between £10m to £20m (US$12m to US$24m) or 2 to 4% of turnover, whichever is greater.
This has meant that over the last few weeks almost every European who has ever used the Internet to buy goods and services, or who has ever provided their personal details when seeking information from a website, has been bombarded with requests to allow suppliers to retain and use their data in an agreed manner.
Companies from major airlines such as British Airways and KLM, to law firms, hotels and even companies that may never obviously have been in contact, have been sending e-mails in various and often confusing formats seeking permission to retain and use whatever personal information they hold on their corporate databases.
The issue is of growing importance to consumers given recent corporate security breaches, the loss of personal information, and the development of personal profiling for political purposes using accumulated data.
For the Caribbean hotel sector and those that it contracts to sell-up or provide add-on products and services, the regulation is of some significance. Whether suppliers are based in the region or elsewhere, it means that all concerned in any transaction become legally responsible for holding and transferring every EU citizen’s data securely.
According to Frank Comito, the Director General and CEO of the Caribbean Hotel and Tourism Association (CHTA), the regulation is of particular relevance to the hospitality industry as it is unusually vulnerable to data breaches.
He points out that the industry has multiple points at which customer data is exchanged, from reservations and payment processing to rewards programmes and guest services. He notes too that if any EU client now requests their removal from a property’s database, the hotel or supplier must inform them they are doing so, and a time frame in which they will act.
Despite this, and although the regulation is now in effect, few Caribbean hotels appear to have responded. For example, no Caribbean hotel that I have stayed in, any regional airline, or any other tourism-related entity has contacted me to request my permission to retain or continue to use data that they hold quite legitimately.
In contrast, others from the Washington Post to an obscure restaurant in rural Britain have in recent weeks made contact to ensure they are in legal compliance. Moreover, so concerned have some companies in US jurisdictions become about the legal implications of their data gathering from the websites they operate, that they have stopped all Internet access from Europe. For example, if you try to access from an EU country the site of the USVI’s Virgin Islands Daily News, there is a message that says: ‘We’re sorry. This site is temporarily unavailable. We recognise you are wanting to access this website from a country belonging to the European Economic Area (EEA), including the EU, which enforces the General Data Protection Regulation (GDPR) and therefore cannot grant you access at this time’.
While this may be an extreme response, it is not clear why most Caribbean companies are ignoring the legislation or seem unconcerned by the reputational and financial damage that could follow if they experience a data breach and an EU citizen takes subsequent legal action.
Is it because the Caribbean hotel sector believes a data breach is impossible; they feel they have nothing to fear from remotely introduced regulations; they are confident their insurance policies might cover them against any future legal action; or because they believe this is yet one more administrative burden of marginal consequence?
If this is the case they have failed to see that potentially huge fines and legal costs apart, as damaging could be the negative publicity that ensues, and the potential for reputational damage if just one client’s personal information is misused.
In the last few days the US Commerce Secretary, Wilbur Ross, has taken US disquiet about the GDPR to another level. In an op-ed piece in the Financial Times, he expressed concern that the EU’s new data laws may create barriers to trade. ‘The GDPR creates serious, unclear legal obligations for both private and public sector entities including the US Government. We do not have a clear understanding of what is required to comply,’ he wrote, before going on to describe some surprising trade and security impacts the regulation might have.
His words suggest that data protection may be about to become another front in an escalating trade war that the Caribbean is unlikely to avoid being drawn into.
(David Jessop is a consultant to the Caribbean Council and can be contacted at [email protected]. Previous columns can be found at https://www.caribbean-council.org/research-analysis/)