Could the MGM Resorts data hack place them in violation of Article 27 of the GDPR?
FEBRUARY 20, 2020
News that 10.6 million MGM hotel guests have had their details exposed could lead to questions as to whether they have protected their European based guests in line with the law.
Well-known celebrities including Justin Bieber and Twitter chief Jack Dorsey are among the high-profile people whose details appeared to be included in a data dump online earlier this week. However, as with all major cyber breach news stories, questions immediately arise with regards to the steps the organisation has taken to safeguard their customers’ data.
MGM Resorts International operates globally but does not appear to have a presence in Europe. Under Article 27 of the GDPR, the law states that if you store or retain data on clients, customers or prospects who are based in the EU, but you don’t have a presence in the EU, you must appoint an GDPR representative in the EU to deal with any privacy concerns that EU based data subjects might have regarding your company. This is a legal requirement and there are hefty fines liable for businesses that do not comply with this regulation.
It’s highly likely that a sizable proportion of the 10.6 million customers involved in this breach originated from an EU country. This then leads to a couple of important questions. If MGM does have premises in Europe, have they appointed a member of staff there to deal with any privacy concerns that customers might have? If they do not have a presence there, have they appointed an EU representative? An EU representative provides guests from European countries with a point of contact, should they have any concerns about how their data is being used.
In all likelihood, MGM Resorts may well have Article 27 of the GDPR covered, as they released a strongly worded statement to say: “At MGM Resorts, we take our responsibility to protect guest data very seriously, and we have strengthened and enhanced the security of our network to prevent this from happening again.”
From our experience, many organisations are unfamiliar with the legal requirement, under the GDPR, to appoint an EU representative. Having robust systems to protect against breaches is one thing but, if you are incorrectly handling data in the first place, there are potentially far wider ramifications under the GDPR.
Does your organisation hold data on EU subjects?
This latest cyber security breach is a reminder that all organisations need to be vigilant in how they go about protecting their customers’ data. It’s also a reminder that for any businesses operating outside of the EU, but holding data on EU based data subjects, it is vital to understand the requirements of Article 27. Not adhering to the GDPR could result in a significant fine for your business.
For further information on appointing an EU representative for your business, click here.
Author

James Hubbard is the Content Marketing Manager for EU Business Partners and McCarthy + Co Solicitors in Ireland. James has extensive experience in delivering digital content campaigns in the legal sector. He has worked alongside Flor McCarthy and the team behind EU Business Partners for over 5 years. James has an interest in cybersecurity issues and covers stories relating to data breaches, GDPR fines and non-compliance.
Do you need to know more about Article 27 Representation in the EU for GDPR and how it impacts your business?

The Ultimate Guide to Article 27 GDPR EU Representation for Non-EU Businesses.
Find out everything that you need to know about GDPR Article 27 Representation for your organisation in this free guide.