When it comes to GDPR, one of the important things to distinguish is who is the controller and processor of data. Travel's complexity combined with the 'no size fits all' nature of business means this can be difficult to determine, but travel buyers must check the right measures are in place and know where responsibility lies.
At this week's Business Travel Summit Amsterdam, Samantha Simms, global data privacy officer at CWT explained that the controller decides how and why data is used, while the processor acts upon the instruction. TMCs are generally seen as controllers alongside the GDS, airlines, hotels, ground transport providers etc. This is because there has been an agreement between the traveller and supplier to exchange information. Examples of processors include online booking tools and fare tracking technology companies.
Simms believes it is "hard to identify the buyer as a controller" as buyers have little control over what suppliers are doing with data once it's fed in. "It's too difficult a situation and buyers probably aren't aware of how it's used. It's burdensome for them to hold," she says.
However, as Judica Krikke, partner, head of TMT/IP at law firm Stibbe has pointed out, there's still an accountability held with the corporation. Businesses should also consider the practices of the suppliers used. "Buyers can vet suppliers and put clauses into contracts that relate to data protection," she advises. "If you use a third party then the responsibility shifts but you still can't walk away from the responsibility."
So where does yours lie? Krikke recommends buyers speak to their TMC/s about data protection policies, while also encouraging all involved to "get a grip on what data is processed and how." She adds that buyers should find their priorities such as whether the data being used in the right way, can be it used and what happens if it's not needed anymore.
There are internal stakeholders that can help too — Simms advises buyers to check policies with data protection officers and make sure people are aware that the changes are coming.
The pair said GDPR has been around for some time but the enforcement coming in May 2018 is making it scarier. Buyers are already finding themselves involved across more departments, whether it's security, HR and/or finance. Data protection is another one of those to consider.