The year was 2018. The FIFA World Cup was being held in Russia. The world was glued to the royal wedding of Prince Harry and Megan Markle. Marvel fans were pumped for the release of Avengers: Infinity War.

Time flies.

To this list, another major event should be added that may be less memorable but is certainly more impactful: the passage of the Global Data Protection Regulation (GDPR).

Last week, the GDPR celebrated its five-year anniversary. To add our piece to the event, we’re recapping key elements of the law that may impact hoteliers and highlighting elements to keep in mind going forward.

About GDPR

The GDPR is a European Union (EU) regulation that protects the privacy and personal data of EU citizens by setting guidelines for the collection, processing, and storage of personal information by organizations and businesses.

At the time of passage, it was a landmark achievement. It set new ambitious standards for data protection (such as consent requirements for data processing, Data Protection Officer requirements, and data minimization rules) and used the geopolitical and economic weight of the EU to forever shape the terms of the debate over consumer rights and privacy.

Its effects have been global. With reach that affects companies that do business entirely outside the EU (known as “extraterritoriality”), businesses around the world have been impacted by the law. In years following its passage, GDPR heavily influenced last in other jurisdictions, such as the CPRA in California and PIPEDA in Canada.

The significance of GDPR quite literally cannot be overstated.

Looking Ahead

What do the first five years of the GDPR tell us about its future? Here is our assessment:

1. Expect enforcement, including fines and penalties, to pick up.

As we previously reported, several events in 2023 may expand the scope of GDPR enforcement. This may include new, additional rulemaking at the European level, court decisions at the European Court of Justice (EJC) that expand the GDPR’s scope, and increased political will to apply current standards to crack down on violators.

Indeed, it appears that the GDPR’s previous relatively light touch may be coming to an end.

In May, Meta (Facebook) received a €1.3 billion fine—GDPR’s largest fine ever—for violating its rules with data transfers to the United States. This has been interpreted by many as a sign of greater enforcement to come.

If it isn’t obvious, these moves make it clear that now is the time to ensure that your organization is compliant with existing rules.

2. Watch for related legislative changes this year.

Despite having the consistent underlying framework of the GDPR, European privacy law has remained in relative flux. The United Kingdom remains in the process of sorting out how it will treat these issues post-Brexit. The EU is considering additional laws like the Data Governance Act, Digital Markets Act, and Digital Services Act, all of which have a chance of passage this year.

Keep your radar up for future changes that may impact your organization’s data policies.

3. Hoteliers should remain vigilant.

GDPR has already impacted the hospitality industry. Fines have targeted chains and individual properties, primarily focusing on video surveillance. This has included small businesses (with fines ranging from €50 to €20,000), so you should not expect to avoid enforcement because of your size.

The anniversary of GDPR is a reminder to familiarize yourself with the law’s requirements and how it may impact hoteliers to stay compliant for the next five years and beyond.

***

Take VENZA’s free Phishing Test to assess gaps in your human firewall today!

Training your personnel to recognize and report phishing attempts is essential to protecting your guests and their data. Get started by determining your risk and readiness level using this free tool.

***

Want to stay informed? Subscribe to the free VENZA Echo now. You’ll receive a monthly digest with the highlights of our weekly article series and important product updates and news from VENZA.