The new regulation could mean increased fines for data breaches and involve costly upgrades of IT systems.

The new Data Protection Regulation will affect all businesses that process data. In order to implement the new requirements, once they have been finalised, hoteliers and caterers will need to carry out a significant overhaul of their data policies and procedures.

The law

Three years ago the European Commission first published its plans to introduce a new Data Protection Regulation to replace the various national laws that exist across the 28 EU member states. The intention is for the regulation to have direct effect in all member states. This would mean that, in the UK, the Data Protection Act 1998 would be superseded by the regulation without the requirement for further legislation.

Progress towards implementation has been slow. In fact, the draft regulation is already the most amended piece of European legislation ever.

Further technical work is still required by the European Council over the coming months and current predictions are that the text will be finalised by spring 2016. Once the regulation is finalised, it will come into force two years after approval.

Expert advice

Although it is still not possible to say with any certainty what the specific changes will be, it is clear that significantly higher fines will be introduced if data breaches occur. The European Parliament is currently proposing maximum fines of €100m or 5% of annual worldwide turnover.

The current proposals also impose new legal obligations, such as a requirement to carry out data protection impact assessments and ensure ‘privacy by design’ for new projects.

Individuals’ rights are also expanded, which will require organisations to introduce new policies, procedures and training to ensure that such rights can be respected.

Although businesses will have two years to prepare, the changes proposed are significant and could well be very complicated to implement. In some cases, businesses will need to make costly changes to IT systems. Businesses that process a large volume of personal data – for example, larger hoteliers and caterers – will be most affected. But all businesses process personal data to some extent, even if only in relation to their own employees, and so the legislation will have far-reaching effects.

Caterer Magazine recommends:

To-do checklist:

Leisure operators should start to consider what changes will be required to their internal procedures as soon as possible, particularly in relation to the following areas:

Data deletion The additional right for an individual to have all of their data deleted in certain circumstances will require businesses to ensure they can identify where all of their data is held and to categorise whether, and when, it needs to be deleted.

Profiling All procedures involving automated processing will have to be scrutinised carefullyand individuals will need to be informed of their rights to object.

Privacy notices These will need to be expanded to inform individuals about retention periods, their individual rights, their ability to complain to the Information Commissioner’s Office (ICO) and the “legitimate grounds” under which data processing is permitted.

Breaches Breach management procedures will need to be put in place and staff trained to handle the new mandatory requirement to notify the ICO of any data security breaches.

Appointment of a DPO If they fall within certain criteria, businesses will need to appoint an expert data protection officer.


Although no date has been fixed for implementation, progress is being slowly made and the changes envisaged are now inevitable.

Leisure operators should therefore familiarise themselves with the proposed changes now, so they can identify the actions that will need to be taken over the next couple of years.


Original article taken from The Caterer.