New EU Data Laws & Cybersecurity Breaches - Preparing For Change

For example, within just over a one month period in late 2015, three of the most recognised companies in the hotel industry announced major breaches of customer payment data.

Given the range of threats and the sanctions available to regulators (fine levels having being increased significantly under the new EU Data Protection Regulation to up to 4% of turnover or €20m), in addition to strategizing to reduce the risk of breaches, plans to deal with breaches once they occur should also be prioritized at board level, regardless of company size, to the extent they have not been already.

But what precisely should hotel businesses be doing to reduce their risk profile in the pre and post incident environment and the risk of receiving a significant fine under new EU laws?

What The Law Requires

A key piece of legislation in this space, the UK Data Protection Act 1998 (“DPA”), requires a risk based approach to security and requires organisations, including hotel businesses, to take: “appropriate technical and organisational measures … against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”

In other words, there is no “one-size-fits-all” solution when it comes to data security and the measures taken by an organisation will depend largely on the size of a business, the amount of data it processes, and the sensitivity of that data.

When a breach occurs, there is currently no mandatory breach reporting under the DPA, although some bodies have instituted their own requirements (e.g. Central Government).

This is set to change, however, following the introduction of the new EU Data Protection Regulation which will come into force in 2018. Under the EU Data Protection Regulation, data controllers will be subject to a general data breach notification regime.