Below, we've compiled a summary of the most pertinent facts and recommended actions that corporate housing providers should be aware of as the May 25th General Data Protection Regulation (GDPR) deadline approaches:
What’s just an acronym to some, is a crucial set of standards to others. The GDPR is a Regulation implemented by the European Parliament, the European Commission, and the Council of the European Union that will change the way many businesses operate with customers’ and employees’ personal data who live and work in the EU. Come May 25th of this year, the Regulation will officially go into effect. While there are still several “unknowns” about the GDPR, a few things are certain; be sure to understand some of the new processes, laws, and responsibilities by reading below!
Please note, the below text does not serve as legal advice. We encourage everyone to seek their own legal counsel regarding their responsibilities under the GDPR.
First, we must understand who the GDPR is meant to protect. The GDPR is a series of regulations that is designed to safeguard the personal information of “data subjects,” or residents of the European Union. It’s imperative that corporate housing providers realize that residency is regardless of EU citizenship. For example, a transferee could be an American citizen, but if he or she is staying in the EU for an extended period, the transferee is now considered an EU resident, and thus is a data subject. This data subject’s personal information (name, e-mail address, IP address, any online identifier, etc.) must now be treated and protected with care.
Under the GDPR, data subjects have multiple new rights to which they are entitled. Those rights are as follows:
- The right to be informed means data subjects must now be informed of the lawful basis* for processing their data, as well as the collecting company’s data retention timelines. Data subjects are also entitled to know if their personal information will be transferred outside of the EU.
- The right to know what personal information a company has allows data subjects to request information about personal content a company has collected.
- The right to rectification holds corporate housing providers accountable for any incorrect information held. It also mandates that companies correct any false records.
- The right to be “forgotten" permits data subjects to request that a company erase all personal data collected on them.
- The right to portability means that a data subject has the right to have information transferred from one source to another, at no personal cost to him or her.
What is Lawful Basis?*
Gordon Kerr, strategic consultant: legal services at EuRA, references three reasons for lawful basis that corporate housing providers should understand:
- Consent of the Individual is ensured through consent clauses, signed consent forms, and/or any type of freely executed affirmative action.
- Performance of a Contract means that a temporary housing provider does not need to depend upon a data subject’s consent if the processing of personal data is required for carrying out the duties outlined in a contract. It's important to note here that the contract needs to be in the data subject's possession.
- Collecting personal data on account of Legitimate Interest is lawful as long as the information is implemented through means in which a data subject would commonly expect. The collected data must also be minimally invasive. If a housing provider is collecting personal data based off Legitimate Interest, then providers should follow a best practice, such as identifying and documenting that interest and showing the data collection is necessary to achieve the interest.
Next, we must outline who is held accountable by the GDPR. In sum, it’s anyone who offers or sells a product or a service to residents of the European Union and/or companies with employees who live or work in the European Union. In layman’s terms, if a company has any type of presence in the EU, they now are legally obligated to honor the GDPR’s processes.
But what are these processes and what must corporate housing providers do to become compliant with the GDPR? Unfortunately, there are still many gray areas surrounding the details that businesses must undergo to become GDPR-compliant. A few things, however, are clear for housing providers:
- Corporate housing providers need to create a plan to determine new processes for storing and securing data, and they then need to communicate those changes to all parties involved in their day-to-day housing operations. This plan should encompass strategies to store data, and methods to track a data subject’s withdrawal of consent.
- Review all privacy policies and consent forms and ensure they contain specific information outlining the GDPR’s requirements. The European Commission recommends including the following on all policies and forms:
- Corporate housing provider’s business name
- Contact name at the organization
- Purpose and legal reason for collecting any personal data
- Categories in which the personal data occurs
- Companies or individuals with whom the information will be shared (domestic and international)
- Details of the data subject’s rights
- Internal time limit to remove the data from systems
- Details concerning collecting personal data on account of Legitimate Interest
- Review all contracts. The GDPR requires that contracts be written between entities that handle a data subject’s personal information. All parties are liable to pay fines if personal data is inappropriately exposed.
- Data must only be held for as long as it is relevant and only for the purpose that it is needed; once the data is no longer necessary, for the stated purpose or for another reason such as regulatory, legal, or compliance, the GDPR requires that it be erased from a company’s database.
- Temporary housing providers should consider creating a document that states what personal information they have, why they have it, and what they do with it. If a complaint is filed against a provider and an audit occurs, this document may help prove compliance and goodwill.
- Corporate housing providers and everyone else who handles personal information are responsible for the safe keeping and privacy of their tenants’ data, even after that information is shared with landlords, building contractors, groundskeepers, etc.
- Housing providers must notify the authorities within 72 hours of any data breach.
- Finally, housing providers need to update their compliance and legal documents and send those documents to any affiliated parties.
Perhaps one of the most crucial elements of the GDPR is a corporate housing provider’s legal obligation when transferring personal data to countries outside of the European Union. Under the GDPR, data subjects must be provided with clear information detailing where and why their information is being sent to another country outside of the EU. They are also entitled to know how their personal information will be protected while in transit. It’s important to note that sharing personal data with countries outside of the European Union may require additional security measures.
While the advice and information provided above will help corporate housing providers become compliant, it’s important to understand that there is no GDPR audit or certification process that automatically occurs on May 25th, thus no one truly yet knows what being 100% GDPR compliant looks like. However, what is known is that if any company is found to be non-compliant, the organization could be charged up to 4% of their global revenue, or 20 million euros, whichever is greater; it’s clear that fully understanding the GDPR will be crucial after May 25th.
Comprised of 99 articles, the GDPR is a very complex set of regulations. We encourage all housing providers to learn the ins and outs of this new policy.
Materials referenced in this article:
A EuRA Legal Report by Gordon Kerr
The GDPR Website
Intersoft Consulting’s Interactive GDPR Booklet
The European Commission's Data Protection Website