General Data Protection Regulations and the attractions industry

Major changes to the rules about the processing of personal data – the General Data Protection Regulations – are due to come into force from 25th May 2018 and these will apply to all EEA countries and companies that conduct business in the EEA. Despite Brexit, the UK government has confirmed that the UK will implement GDPR.

Robert_Kluth lorica insurance leisureBy Robert Kluth ACII, Director – Leisure Division, Lorica Insurance

A company that fails to comply with the new rules may be subject to a fine of up to ’20 million or four per cent of the company’s global annual turnover, whichever is higher. Civil claims can also be brought by persons affected by any breach. So this is something that cannot be ignored.

The new rules update and replace the current data protection rules (the Data Protection Act 1998). They introduce a number of changes which affect businesses and organisations responsible for processing personal data. If you gather the data for the benefit of your business you are the Data Controller. The data controller is therefore the person (or business) who determines the purposes for which, and the way in which, personal data is processed.

What are the rule changes under GDPR?

So what is personal data? It is information that relates to a living individual who can be identified by that data, it also extends to data that in isolation couldn’t identify an individual but if combined with other information could identify them.

It includes names, addresses, numbers, location data, online identifiers or one or more factors relating to the physical, physiological, genetic, mental, economic, cultural or social identity of an individual.

As all theme parks, museums and attractions will hold such information on their employees and many gather personal data on their customer so this is an issue the industry cannot ignore.

The new rules include the following changes:-

1. A requirement to report data breaches to the Data Protection regulator, within 72 hours of discovery so that, if relevant, affected individuals can be contacted and appropriate measures can be taken

2. Individuals will have more access to their own data and how their data is processed

3. A “right to be forgotten’ – individuals have a right to have their personal data erased if there is no compelling reason for its continued processing

4. The conditions for consent have also been strengthened and it must be:

  • “Clear and distinguishable from other matters and provided in an easily accessible form, using clear and plain language”
  • Unambiguous, granular (separate consent for distinct processing operations) and freely given
  • As easy to withdraw as it was to give it
  • Opt out is out! So are pre-ticked boxes. Opt in is in!
  • You must keep clear records to demonstrate consent.

So what do you need to do to get ready for GDPR, as it isn’t that long before it comes into effect in May 2018?

The UK’s Information Commissioner’s Office (ICO) has created a useful checklist of things businesses can do now to prepare and ensure compliance:-

Getting ready for General Data Protection Regulations

1. Ensure that all decision makers and key people in your organisation are aware of the GDPR – they need to appreciate its impact.

2. Document what personal data you hold, where it came from and whom you share it with. Also, organise an information audit.

3. Review your current privacy notices and put a plan in place for making any necessary GDPR changes.

4. Check your procedures to ensure they cover all the rights individuals have. This should also include how you would delete personal data or provide data electronically and in a commonly used format.

5. Update your procedures and plan how you will handle requests within the new timescales and provide any extra information.

6. Look at the various types of data processing you carry out. Then identify your legal basis for doing so and document it.

7. Review how you are seeking, obtaining and recording consent and whether you need to make any changes.

8. Think about putting systems in place to verify individuals’ ages and to gather parental or guardian consent for the data processing activity.

9. Ensure you have the right procedures in place to detect, report and investigate data breaches.

10. Familiarise yourself with the guidance the ICO has produced on Privacy Impact Assessments. Then work out how and when to implement them.

11. Designate a data protection officer, if required, or someone to be responsible for data protection compliance, and assess where this role will sit within your structure and governance arrangements.

12. If you operate internationally, you should also determine which data protection supervisory authority you fall under.

Remember the date

Remember the new General Data Protection Regulations apply from 25th May 2018 to companies conducting business in the European Economic Area, who process personal data. As a result, if you gather personal data you will be required to ensure that contracts with all processors comply with GDPR and cover any liabilities appropriately.