GDPR comes into enforcement on 25 May 2018 and is directly aimed at giving greater data protection in the member countries of the EU (currently 28 countries, including the United Kingdom). The total population directly impacted by GDPR in all these countries is roughly 508 million people.
However, the new regulations will affect almost all countries in the world because the GDPR will extend the EU data protection law to all foreign companies processing data of EU residents, regardless of where the geo location of the company headquarters may be. Whether you are a buyer or supplier, you need to immediately start asking internally within your organisation how the new GDPR will impact your existing and future travel and meetings supplier agreements.
At the very core of the GDPR is data privacy and governance. How companies address the new regulations will invariably impact their business processes and will also add operational costs to every affected company. Each will have to impose on-going audits, assessments and employ data protection experts as part of the newer and stricter data governance regulations under GDPR.
Do US regulations do the job?
So, what about Privacy Shield, which replaced Safe Harbor? Does that exempt Privacy Shield members from the GDPR?
According to the Privacy Trust website "The GDPR has specific requirements regarding the transfer of data out of the EU. One of these requirements is that the transfer must only happen to countries deemed as having adequate data protection laws.
"In general, the EU does not list the US as one of the countries that meets this requirement.
"Privacy Shield is designed to create a programme whereby participating companies are deemed as having adequate protection, and therefore facilitate the transfer of information.
"In short, Privacy Shield allows US companies, or EU companies working with US companies, to meet this requirement of the GDPR."
However, according to other experts like Washington DC-based lawyers Foley and Lardner LLP, Privacy Shield may not survive when GDPR kicks in because the premise of "adequate data protection", especially for US companies, has been challenged as inadequate.
On its website, Foley says, "The European Union Article 29 Working Party (Article 29) issued an opinion on the proposed EU-US Privacy Shield framework agreement (Privacy Shield) earlier this week, stating that although the Privacy Shield was a "great step forward," the Article 29 group identified several areas in which it found the Privacy Shield to be unacceptable, including that it permits the US to carry out "massive and indiscriminate" bulk surveillance of European Union citizens."
The biggest change, in my opinion, is the escalation and elevation of anything regarding data privacy to the corporate C-Suite.
The Foley website page says, "Companies should be aware that GDPR shifts the issue of privacy and personal data protection even further from an information technology issue to a Board of Directors and C-suite issue. GDPR will have a tremendous impact on the day-to-day operations, costs, and potential liabilities of the company that demands board level attention. Furthermore, under Sarbanes-Oxley [Act] in the United States, public companies may need to disclose GDPR's increased operational costs and potential for high liabilities to their investors."
If the above is true, that means that travel management company (TMC) agreements, meeting management company (MMC) agreements, mobile app supplier agreements, strategic meetings management programme (SMMP) technology agreements and any supplier agreements that support your current corporate travel programme or SMMP will require C-Level or Board awareness and further scrutiny to ensure compliance and to avoid any potential violations that could incur penalty charges.
Now is the time to review
One of the main evangelists about what is coming with regards to the GDPR is UK business journalist Elliott Haworth who says, "GDPR should not be taken as a threat: its virtues have been extolled by many in the data world for years as best practice. Hindsight is a wonderful thing, but had executives taken data governance seriously in the first place, perhaps we would not be here today." You can follow Elliott on Twitter where he frequently posts information and links regarding GDPR and subsequent updates.
All of this is no doubt a big step towards combatting all the sinister data hacking and phishing activities that are being globally perpetrated by data hackers, but it does require a tough introspective look at how companies and their supplier partners, treat and retain personal data.
In case you are wondering the scope of personal data covered by the GDPR, it's more than just name, and address. It is also income information, health information, frequent flyer and frequent stay account information, birthdays, age, food preference, allergy notifications, cultural and ethnic background information, etc. There's also regulations and guidelines as to how long the data collector can retain the information with mandatory purging of personal data.
Think about how much data companies and their preferred supplier partners collect and retain for their employee travel, meeting/event attendees, guests, etc. GDPR will require a review and remedy for existing travel and meeting processes, supplier agreements and a whole lot more. This kind of thoroughness will require time, budget and revised preferred supplier considerations for all business travel and corporate meeting and event leaders.
I highly recommend both buyers and suppliers in the business travel and meetings and events ecosystems start the process now to be complicit with GDPR before the 25 May 2018 enactment date. The penalties and stiff fines are more than enough incentive to get this message out, and for companies to start treating data privacy protection as a primary corporate objective vs. an aspirational goal. Frankly you have less than one year to be GDPR compliant; if you are only aware of this now and have done nothing to date, you are running out of time.