Page 26 - 83998_NSAA_Journal_Fall2018
P. 26
Regulatory
THE GDPR inntopia full page grey.pdf 4 8/16/18 1:02 PM
Lift tickets and lodging in one cart?
Europe’s Data Privacy Rules a Compliance Nightmare for US Companies
CRM data right inside your CRS?
BY DAVE BYRD, NSAA DIRECTOR OF RISK & REGULATORY AFFAIRS
Yep. Inntopia does that.
IF YOU THOUGHT ADA WEBSITE compliance was infuriating, requirement that is designed to maintain privacy compliance
just wait for the GDPR. The GDPR stands for the General throughout the life-cycle of an EU resident’s data used by a
Data Protection Regulation recently enacted by the European particular company.
Union, which will impact any business—including those Furthermore, breaches of these GDPR regulations are
outside of Europe—engaging with Europeans via websites, likely not going to be covered by most general liability
CRMs, credit card processors, emails, or other sales and insurance policies. American businesses serving EU
marketing platforms. This includes many American destina- consumers should check with their insurance providers
tion ski areas with European guests, or any other businesses to assess appropriate insurance coverage, and whether a We grew up in the ski industry. We’ve spent fteen years
that offers goods or services to EU consumers. cyber-liability policy with a specific GDPR endorsement building software that addresses your unique challenges,
The new regulations, which took effect this past summer, will protect them. This is likely going to mean that any but we’re not slowing down. We’re launching new products
are designed to ensure the data privacy and identity of EU American business with EU consumers should seriously and features that do a better job than ever of helping you
consumers, and are creating potentially enormous exposures consider a robust cyber-liability policy that includes coverage measure, market, and sell your travel experiences.
for US businesses that fail to comply. Data breaches involving for GDPR violations.
any EU residents suddenly just became far, far more expensive C
and damaging. M If you haven’t seen the magic of giving your central
The regulations have numerous layers of onerous compli- Y reservations agents access to guest marketing pro les, or
ance requirements, and will force a radical cultural shift for The GDPR regulations will require how easy it is to use your clean guest data to target via
CM
businesses marketing to EU citizens. If your business offers businesses serving EU citizens to Facebook ads, or the in ux of new wholesalers who can pull
goods or services to EU citizens—or even simply moni- MY your real-time rates from Inntopia, you’re in for a treat. And
tors Europeans through their internet use with your website’s adopt entirely new approaches CY we’ve got even more in store.
cookies—your business or organization is subject to these CMY
strict compliance requirements. And violations involve to how they collect, process, K
massive fines—up to 20 million Euros, or 4 percent of a store, and share personal data We’ll see you on the lift. (But you should probably request a
company’s global gross revenues, whichever is greater— demo just in case.)
although less significant breaches will carry somewhat of EU citizens.
smaller, albeit stiff, fines.
The GDPR regulations will require businesses serving
EU citizens to adopt entirely new approaches to how they
collect, process, store, and share personal data of EU citizens. Also, more and more American companies will also be
Compliance will be challenging for destination resorts in hiring data protection officers (DPOs) or chief privacy officers
the Northeast or in the West, and for any ski areas with even (CPOs). And, given that the GDPR will also cover any
nominal visits from any residents of the 28 EU countries. partner companies (e.g., CRM platforms, ad agencies, web
Part of the challenge will be to obtain explicit consent from developers, credit card processors, or other similar marketing
the EU resident to process or retain his or her personally and sales partners) who work with businesses that collect or
identifiable data (including parental consent for the use of process EU consumer data or credit cards, businesses should
a minor child’s data). consider GDPR-specific indemnification provisions in all
In addition, businesses covered by the GDPR will need marketing, sales, and related agreements.
to establish comprehensive governance measures, including NSAA will continue to analyze these compliance
adopting privacy policies and tools, data retention plans, requirements and provide educational seminars at upcoming
reporting protocols for data breaches (within 72 hours, per NSAA and regional conferences, including the NSAA
the GDPR), and auditing and documentation procedures. Winter Conferences January 22-24, 2019, at Snowbird,
A new principle called Privacy by Design is a data protection Utah, and February 5-6, 2019, at Killington, Vermont.
corp.inntopia.com/nsaa
24 | NSAA JOURNAL | FALL 2018
