Most golf clubs are not aware of new data protection rules

Most organisations that operate in the hospitality and leisure sector are unaware of data protection laws that come into effect in 2018 – even though the maximum fine for breaching them could put them out of business.

Just a third of the companies YouGov surveyed said they were aware of the new General Data Protection Regulation (GDPR), which comes into force next May.

GDPR represents the biggest change in 25 years to how businesses process personal information and it replaces existing data protection laws.

Under the new rules, the maximum fine for certain data breaches in the UK will rise from £500,000 to €20 million (£17.7 million) or four per cent of global turnover, whichever is larger.

The notification of certain data breaches where there is an impact on privacy, such as a customer database being hacked or a letter being put in the wrong envelope, must be reported to the Information Commissioner’s Office (ICO) within 72 hours under the new regime.

Other changes under the GDPR include an obligation to be more transparent about how personal data is used. Businesses will also need to have processes in place in case an individual asks for all their personal data to be erased.

Seventy per cent of hospitality and leisure companies are unaware of the new fines and 22 per cent say they would go out of business if they received the maximum punishment, a figure that would be much higher for golf clubs.

Just one third of companies say they are confident they would notify the relevant stakeholders within the required timescale of three days.

Joanne Bone, partner and data protection expert at Irwin Mitchell, which was involved in the study, said: “These results are concerning – there’s a very real possibility that a large number of companies will not be compliant in time.”

Nearly half of respondents think that GDPR will have no impact, claiming that GDPR is not an issue for their sector. Fifteen per cent claim it isn’t relevant to their business as they are not a consumer business.

The reality is that the rules encompass a wide range of personal data including employee data, payroll and pension records.

Joanne Bone added: “Contrary to popular belief personal data is not just consumer information. It is hard to think of a business today that does not use personal data. Whether you have employee data, customer data or supplier data – if the data relates to an individual you will be caught by the new data protection laws.”