Larry Fretz

GDPR 2018 Is Coming Fast: Don’t Gamble, Act Now

Even if you don’t operate any properties in the European Union, the General Data Protection Regulation may apply to you!

When it comes to data security, there are few industries as vulnerable to threats as the casino resort and hospitality industry. With vast volumes of personal information (e.g., credit card, personal, etc.) being processed by properties on a daily basis, the industries both consistently rank in the top four of most vulnerable to data breaches (Verizon 2017 Data Breach Investigations).

Properties receive this information from a variety of different sources including: their websites, third-party booking systems, point of sale systems, amenity venues, emails and faxes, phones and walk-ins. And, to complicate matters even further, they generally store this information in several locations. This data, received from so many sources and stored in so many locations, is highly desirable to financially motivated criminals and must be secured and protected.

Given this environment, there is a lot of pressure placed on organizations to be compliant with data security standards such as the Gaming Control Board and PCI DSS (Payment Card Industry Data Security Standard) to name a few. In May 2016, however, a new legal compliance obligation was conceptualized which went into effect in May 2018 in the form of the European Union General Data Protection Regulation (GDPR). Unfortunately, based on discussions with Info-Tech’s GHRC members, it remains evident that a surprisingly large portion of Executive Officers and CIOs in the U.S., Canada and elsewhere remain in the dark about the level of exposure and heavy fiscal impacts GDPR could have on their businesses.

GDPR is a new regulation passed by European government bodies in an attempt to unify and strengthen the security of European Union citizens’ personal data. The significant impacts are threefold:

The new regulation expands the definition of personal data to include the types of data modern organizations are collecting. For example, IP addresses, economic, genetic, social identity, mental, cultural or a pseudonymised version of this data that is easy to interpret are all covered under GDPR and must be adequately protected.

The definition of Personal Data from GDPR is crucial: Article 4 (1) – ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

GDPR’s reach extends beyond companies within the European Union to include any organization around the world that captures and stores data on EU citizens. The emphasis of the regulation is not company headquarters or branch office locations, but rather where the citizen resides. Any company and its associated subcontractor that collects data on or markets to EU citizens is subject to GDPR. This impacts the entire casino resort and hospitality industry worldwide.

Fines imposed under GDPR have increased –companies can be fined up to 20 million EUR or 4% of annual turnover (i.e. revenue) from their previous financial year. These fines will be imposed on organizations that regulators believe citizens trust and rely on, as well as hold sensitive data. For less severe breaches, remediation includes a fine of up to 10 million EUR or 2% of annual turnover or regular data audits. Data processors will be insulated from these fines, which will be applied to data controllers (the company contracting the processor).

Additional impacts and changes are illustrated in the Figure 1.

Figure 1: Customer Journey Workflow

Currently, rules around collecting patron (or potential patron) data are somewhat flexible. Casino resort and hotel operators can be smart with wording terms and conditions and use “opt-out” and implicit consent clauses to swiftly enroll customers into loyalty, VIP, concierge/host programs, newsletters, physical/email marketing campaigns, etc. Generalized consent requests can be used to sign people up to subscriber lists or used to enhance pre- and post-stay customer engagement such as capturing an email address at the time of booking and using it, without further consent, for pre-arrival upsell marketing or post-stay surveying along with web analytics tools for tracking, personalization and retargeting purposes.

These use-cases change significantly under GDPR. As illustrated in Figure 1, clear and explicit consent means that operators must: explain to the customer what data is being captured (the nature of the data), why the data is being captured (the purpose of the data) who is requesting the data (the identity of the Data Controller), who else will have access to the data and provide customers with the ability to opt-out and/or be forgotten with confirmation of data removal. The end result is that there is transparency on the data that is being collected and that the individual completely understands what data you would like to capture and what it will be used for.

In this new environment, the customer can give unambiguous consent in an appropriate communication form for that specific use and the operator must then request explicit consent again for future marketing campaigns and uses. Given that the general casino model is one that rewards individuals for sharing more information, marketing to EU residents, or individuals located in the EU will become more challenging and could restrict the number of EU guests you get through the door.

According to Article 3 of GDPR, the regulations cover any activity occurring within the EU by a data collector, data processor or the data subject (EU Resident). While it is true that non-EU based casinos and hoteliers capture and retain personal data according to their local data protection regulations, collecting any kind of personally identifiable information (PII) on an EU resident could trigger GDPR. Furthermore, the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks were designed by the U.S. Department of Commerce, the European Commission and the Swiss Administration to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union or Switzerland to the U.S. in support of transatlantic commerce. Therefore, a booking event that occurs between an individual in the EU and a hotel outside the EU is considered covered by the GDPR.

There are several steps that casinos and hotels can take to properly prepare for GDPR which include:

Tackle GDPR From a Risk-Based Approach

Gaming and Hospitality organizations can integrate risk into data-driven decision making. A risk-based approach to tackling GDPR is ideal, given the breadth of the regulation and the impending deadline. Designating the current head of risk and compliance, privacy officer or the CISO as the Data Protection Officer (DPO) even if you are not formally required to have a DPO is a key first step.

Gaming and hospitality organizations should then develop an understanding of their current data lifecycle, starting with data discovery. Depending on your data life-cycle maturity, it may become clear that not all compliance initiatives can be implement-ed by the May 2018 deadline. Therefore, Gaming and Hospitality organizations should assign a risk score or value to necessary compliance initiatives and work to mitigate the high-risk initiatives first. By integrating GDPR projects into the existing risk framework, you will not only provide documentation for regulators (if that becomes necessary), but also align GDPR with exist-ing organizational norms and practices. An existing PCI compliance framework is a perfect example as those regulations have many requirements in common with GDPR.

Ensure consent throughout the collection process Given the nature of the data being collected and processed by gaming and hospitality organizations, it is crucial that data subjects are both fully aware and consenting on the information being collected. Throughout data collection events, organizations should ensure that plain language is used, and data subjects are aware of the use cases of their data (See Figure 2). The benefit of a transparent collection process is that organizations will effectively and immediately gain a competitive advantage over organizations intending to conceal their purposes. Understandable terminology as well as educating the customer will be crucial in obtaining compliant consent from data subjects.

Figure 2: Penalties and Rights

Integrate GDPR and Breach Notification into Your Existing Incident Response Program

Many of the regulation’s reporting requirements align with most organizations’ existing incident response plans. However, the upcoming regulation is an effective catalyst for revisiting these plans to ensure that a 72-hour response deadline is feasible. For gaming and hospitality organizations, the 72-hour reporting is especially crucial given the extensiveness of the data being stored and processed.

Review the Application Portfolio and Vendor Contracts

To ensure your organization is compliant, you need to start with a broad overview of how personal data is used and why it was collected (see Figure 2), how it is processed, who has access, where it is stored, which third parties are involved, etc. Any work in ensuring compliance will rely on a good overview of the personal data involved and therefore creating a ‘privacy inventory’ is crucial. This entails:

  • Logging your application and data assets and determining their use:
  • Which data elements contain privacy information?
  • Where is the data physically stored? Are they hosted on premise or in the cloud?
  • Which systems/processes use the information and can create, read, update or delete?

Analyze your data landscape to determine how well that data is protected:

  • What controls are applied to technology assets and processes to support secure handling and transport of information?
  • What data classification and confidentiality level is required to keep the data safe?

Understand data lineage and where and how that data is being used:

  • What data is collected throughout the customer journey?
  • What applications process the data and how?
  • How secure are they?
  • Is the information transferred cross-border?
  • Are there contractual agreements in place with vendors for transferring or sharing data elements?

In summary, with the enforcement deadline for GDPR looming, it is imperative that casino resort operators and hoteliers devise and implement a plan to upgrade their data lifecycle and protection processes. While doing so, create awareness and full buy-in from the various teams. There may be changes in procedures or systems, so all managers should be aware of GDPR, fully understand it, and be able to understand its impact on their department.

An entrepreneur, former gaming and hospitality CIO and now consultant, executive advisor, and speaker at industry conferences, Larry Fretz is the Gaming and Hospitality Practice Lead at Info-Tech Research Group where he leverages his 30+ years of expertise to help IT and business leaders realize the full potential of technology to drive organizational growth and business outcomes. Contact Larry.