Stephanie Lucas’ Post

The significance of data privacy is evolving rapidly in the hospitality industry... Especially with the introduction of regulations like the DPDP Act. The industry's leap into digitalization, from online bookings to data-driven personalization, has been transformative. Yet, this digital leap brings a responsibility: protecting the vast volumes of guest data against breaches and misuse. At AGRADA, our work with various hospitality groups has given us unique insights into effectively managing these changes. Here are some key recommendations 👇 𝗗𝗮𝘁𝗮 𝗠𝗮𝗽𝗽𝗶𝗻𝗴 𝗮𝗻𝗱 𝗔𝘂𝗱𝗶𝘁𝘀: Map & identify all points of data collection, processing, and transfer. Regular audits are vital for pinpointing compliance gaps and enhancing data protection, especially with third-party integrations and booking engines. 𝗠𝗮𝗻𝗮𝗴𝗶𝗻𝗴 𝗖𝗿𝗼𝘀𝘀-𝗯𝗼𝗿𝗱𝗲𝗿 𝗗𝗮𝘁𝗮 𝗧𝗿𝗮𝗻𝘀𝗳𝗲𝗿𝘀: The DPDP Act introduces specific rules for transferring data outside of India. It’s important to ensure these transfers comply with the Act's requirements, and that means having robust and accurate data maps that can identify cross-border flows. 𝗘𝗺𝗽𝗹𝗼𝘆𝗲𝗲 𝗧𝗿𝗮𝗶𝗻𝗶𝗻𝗴: Implement comprehensive training for your staff on the DPDP Act's requirements. Understanding data privacy policies and procedures is key to ensuring compliance and safeguarding guest data. 𝗖𝗼𝗻𝘀𝗲𝗻𝘁 𝗮𝗻𝗱 𝗗𝗮𝘁𝗮 𝗦𝘂𝗯𝗷𝗲𝗰𝘁 𝗥𝗶𝗴𝗵𝘁𝘀: Consent for data usage is now one of only two legal bases for processing, and guests have increased rights over their data, including access, correction, and deletion. 𝗘𝗻𝗵𝗮𝗻𝗰𝗲𝗱 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗠𝗲𝗮𝘀𝘂𝗿𝗲𝘀: Robust security protocols are required to protect personal data from unauthorized access. 𝗧𝗿𝗮𝗻𝘀𝗽𝗮𝗿𝗲𝗻𝗰𝘆 𝘄𝗶𝘁𝗵 𝗚𝘂𝗲𝘀𝘁𝘀: Clear communication about data usage and policies is essential for maintaining trust and transparency. -- Adhering to the DPDP Act isn't just about legal compliance; it's about committing to the highest standards of guest privacy and trust. For hospitality groups, this is an opportunity to strengthen relationships with guests and enhance their reputation in the industry.

We want to see services offer safe, age-appropriate experiences for users while protecting their privacy online. 👇 Michael Murray, Head of Regulatory Policy, and John Vincent, Senior Policy Officer, joined Ofcom at the Spring Conference of data protection authorities, in Latvia, to discuss the latest developments on age assurance and our joint work. At the conference, we explained how age assurance falls within Ofcom's online safety remit and our data protection responsibilities, with clear links and interactions in our work, including where age assurance is used to protect online privacy and keep users safe. For example, age assurance measures can be used by online services to identify the age of their users and protect them from harmful content. But when using age assurance tools, services must treat users’ data appropriately to comply with data protection law. Read our latest joint statement 👉 https://lnkd.in/gzsiXmKy We also discussed the use of age assurance by industry and the data protection expectations. Age assurance solutions need to be effective, accurate and have privacy considerations built in from the design stage. All age assurance methods should be proportionate to the risks that personal information processing creates for the child and the level of age certainty that is required for each online service. Age assurance is one tool that can help make this a reality. Read our age assurance opinion 👉 https://lnkd.in/emFfgC2X The Conference of European Data Protection Authorities, the 'Spring Conference' provides a forum for collaboration and exchanging information among European data protection authorities and industry. This year's conference focused on key topics such as navigating evolving EU regulations, addressing privacy in emerging technology, safeguarding health data in the digital era, and promoting effective cooperation.

Wrapping Up the Week: Latest in Trust & Safety and Compliance News 🚀 As Friday marks the end of another insightful week, let's recap the significant strides and challenges in the realms of Trust & Safety, Compliance, and Online Safety. Here are the key updates you need to know: EU Fact-Checking and DSA Compliance: Major tech platforms are under scrutiny for failing to meet EU fact-checking commitments, potentially jeopardizing their compliance with the Digital Services Act. European Fact-Checking Standards Network (EFCSN)'s review highlights a concerning gap in the enforcement of anti-disinformation standards. - Tech Policy Press EU's Digital Services Act (DSA): This landmark EU legislation is making waves beyond its borders, impacting the operational dynamics of global tech companies, including those in the US. It underscores the growing importance of international cooperation in digital regulation. - The Nation X Corp's Trust and Safety Staff Cuts: The significant reduction in X Corp.'s trust-and-safety personnel, particularly in safety engineering, poses questions about the platform's ability to uphold online safety standards, potentially affecting both its brand reputation and user experience. - MarketWatch Musk's Impact on X's Safety Teams: The dramatic downsizing of trust and safety engineers at X following Elon Musk's acquisition brings to light serious concerns regarding the platform's strategies to counter online hate and misinformation. - Forbes Ofcom's Online Safety Hiring Spree: The UK's communication regulator's significant recruitment drive in online safety roles reflects a global trend toward more robust internet regulation. - Telecoms.com Child Online Privacy Protection: The proposed updates to COPPA underscore the evolving challenges in protecting children's online privacy, highlighting the role of caregivers and professionals in this effort. - TBHI Telehealth.org 🔍 In Summary: The tech world is grappling with implementing effective misinformation management strategies. The DSA's global impact is reshaping tech regulation beyond the EU. Staff reductions at X Corp. raise alarms about online safety and platform reliability. The growing focus on regulatory measures, as seen in Ofcom's expansion, signals an era of increased digital vigilance.

In 2006, the Committee of Ministers of the Council of Europe decided to designate 28 January as Data Protection Day. This day is now celebrated worldwide, under the name "Privacy Day" outside Europe. It marks the anniversary of the opening for signature of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, thus highlighting the influence of Convention 108 and the Council of Europe in the world. For more than 40 years, Convention 108 has influenced and shaped privacy and data protection not only in Europe but also far beyond. Its modernised version (known as Convention 108+) addresses the ever-increasing challenges of an increasingly globalised and digitalised world to build a space for the free transfer of data while preserving human dignity. This makes Convention 108+ a unique and universal tool for legal harmonisation and convergence that puts the human being back in a position of subject and not just object of algorithmic deduction, control and surveillance. The 18th Data Protection Day will be celebrated worldwide on 28th January 2024. The aim of the day is to raise awareness of the challenges of data protection and privacy and to inform people about their rights and how they can exercise them. With this day now celebrated worldwide, the Council of Europe is demonstrating that it plays a major, pioneering and visionary role in encouraging and highlighting the events organised on this occasion. It is also in this spirit that the Convention 108 Committee awarded the fifth Stefano Rodotà Award, intended to reward research work, articles and publications of an academic nature, published or finalised in the previous year by young researchers and dealing with data protection.

Hey Queens! 👑 Guess what? Building our online kingdoms means playing by some rules to keep everything cool and safe. Ever heard of GDPR? It’s like a big rule book that helps protect everyone's private info online. When I first started my online journey, figuring out all these rules felt like learning a new language. But then I realized it’s all about keeping our spaces safe. Think of GDPR as the guidelines that help us treat everyone’s details like secret treasures. Imagine your website or social page as your very own castle. You want everyone who visits to feel safe, right? Following rules like GDPR makes your spot a trusted place where everyone knows their secrets are safe with you. It’s not just about dodging trouble; it’s about being the kind of place where everyone wants to hang out. Want to make your online space super welcoming and safe? Here’s the starter pack: Learn the Basics: Get to know the main rules that keep your site or page friendly and safe. Be Clear: Tell your friends (aka your followers or visitors) how you keep their info safe. Protect the Castle: Use good passwords and security to keep all that info safe as if it were your own. Ask Nicely: Always get permission before you collect anyone’s details. Just like you’d ask before borrowing something. Rules can be cool, especially when they help make your online world a better place. Think so too? Hit like, drop a comment, or save this post to remember how we keep our kingdoms safe and fun! #RuleTheRules #SafeSpaceOnline #passiveincome #digitalworld #digitalmarketing #digitalproduct #rules #businessonline

#Dataprivacy is a big issue considering the amount of information #travelproviders can collect and store. Rules vary around the globe but transparency and strategy must exist between the #travelbusiness and their clients. https://lnkd.in/gHGZgXdt #travel #traveltechnology #travelapps #travelsoftware #travelbusiness #traveltrends #travelindustry #travelproviders #data #datasecurity

✈️The real #privacy trend? No industry is getting a pass from a hard look under the curtain, regardless of preemption. This recent announcement from #DOT on initiating a review of #airlines’ #privacypractices and #datasharing / #datamonetization is just the latest example. We often hear from the business side to point to the law that says they can’t do xyz. Or everyone else is doing it / this is how it’s always been done. The data is “anonymous.” That premise assumes no change in the legal lens and that’s where it runs into problems. Pick a sector and every month or two, we’re watching in real time the #FTC, #Congress, #States, #Plaintiffs, #Media, #ConsumerAdvocates challenge whether common data sharing / analytics practices are lawful under today’s expectations. Another good reason to seek input from those outside your industry bubble. Every company assumes risk, of course. But on this topic, the 🙄 in ⌛️approach just won’t work. https://lnkd.in/e2YCuxme

🔏 Is data privacy a right or a luxury? 💻 This debate is heating up, with the EU's GDPR framing it as a right, while the US leans towards a model where your data is the currency for "free" services. As calls for federal privacy #legislation grow, the key question remains: will privacy be universally accessible, or a premium only some can afford? The future of our #digital world hinges on this balance between luxury and right, much like the difference between economy and business class on a flight. Check out Co-Founder Nick Reese's latest #GotTech piece below ⬇ #DataPrivacy #GDPR #DigitalRights #TechPolicy #frontierfoundry Sultan M. Dr. Roque Martinez, DBA Thomas Morin

The latest Decision from the Spanish Data Protection Agency addresses various interesting topics: the nature of information as personal data due to its ability to single out individuals, consideration of unique identifiers as personal data and, most importantly, international data transfers to U.S. in the context of Google Analytics before the establishment of the EU-US Data Privacy Framework. Check out our blog discussing the Decision from our Madrid team. #AEPD #Spain #dataprocessing

Happy Friday! Time for another round up of the data protection news which caught my eye this week: 📣 The ICO has issued new guidance on how organisations can comply with data protection requirements when undertaking online content moderation. The guidance forms part of the ICO's collaboration with Ofcom (which regulates the UK’s Online Safety regime) and ought to be carefully considered by those who are balancing their distinct obligations under the online safety and data protection legislative regimes. Interestingly, the ICO's position is that content moderation undertaken using exact database matching tools won’t constitute automated decision making under Article 22 GDPR because the moderation tool is “operating according to specific, pre-defined parameters representing things that humans have already decided on.” This seems sensible but does beg the question of where the line is for Article 22 to apply given that even complex automated tools usually take “decisions” based on certain pre-defined parameters. If this is a topic of interest please do take a listen to the latest episode of the Legitimately Interesting podcast in which Hannah Crowther and I discuss this further.     📣 There was another development in the never ending saga of Meta’s international data transfers this week. The Irish High Court has given Max Schrems permission to participate in two separate but related High Court cases in which Meta is challenging a decision requiring it to suspend transfers of user data from the EU to the US. Interestingly the High Court held that Mr Schrems was “uniquely and directly affected” by the cases because of the history of his involvement with the issues and the proceedings. As a reminder, Max Schrems has also previously announced an intention to challenge the EU-US Data Privacy Framework, which is also the subject of a challenge by French MEP Philippe Latombe. This story is far from over.   📣 The ICO has today issued enforcement notices against Serco Leisure to stop them from using facial recognition and fingerprint scanning technologies for the purpose of monitoring employee attendance. The ICO found that the use of such technology was not necessary or proportionate because there were less intrusive means available to track attendance such as ID cards or fobs and employees were not proactively offered such alternatives. Organisations which wish to use such technologies therefore ought to carefully document in a DPIA the viability of a range of alternatives before proceeding.   📣 Finally, a date for your diaries - the CJEU will give its long anticipated judgment in the IAB Europe TCF case on 7 March. The outcome could have significant implications for the adtech industry and may also answer fundamental questions about the meaning of identifiability and the scope of the concept of joint controllership. #dataprotection #privacy