There is little more than one year to prepare for the introduction of new EU General Data Protection Regulation (GDPR). The regulations mean, in short, that companies must live up to the law or risk a fine of 2% of the company's annual global turnover or up to €10 million (whichever is greater) if you are a small company (sales up to €20m). This doubles to 4% or €20m if you are a large company (€>20m) or have personal data as critical mass (such as a hospital). Companies have to build, rebuild or structure an internal environment under these European laws on data protection of personal information.
Any business within the EU, including the UK for now, will feel the impact of the new law. Even if the individual country softens the impact, most countries will upgrade the security of the personal data legislation and follow the guidelines. Besides, any EU citizen is covered by the law and this means that companies outside EU must live up to the law too.
Measures to consider
Internally it means you will need the authorisation from your employees for information to be used with any of your suppliers whether direct or indirect. For example, you want travellers to be covered by insurance but that's only okay if the employee gives you the authorisation to pass on their personal information to the insurance company. More widely the company should also be protecting data involving third parties like customers or any other party in your company circle ie HR system provider. Remember to be specific and clear about using the data for the agreed purpose and that data will be deleted when not relevant for that purpose.
This will have a major impact on the travel industry and speed up the much-needed changes in process and technology. There needs to be rethinking in the whole food chain, from searching for products to using the product or service, especially in the area of customer personal data.
Examples in travel
I do believe the leisure part of the industry will have to rethink the whole way it uses and registers data and corporate travel will have to go through the same process. The travel industry usually collects a lot of personal data in order to ensure smooth processing and a better customer experience. Most of the data is then shared with numerous third parties.
GDPR will affect all businesses ©HYWARDS/iStockHowever, the new law lays the whole responsibility of protecting the personal data on the selling entity. It also demands knowing the details of the data, why the data is stored and why you need access to it. This includes any third-party handler of data like the Global Distribution Systems (GDS). It's important that the "owner" of the data ie TMC has the responsibility of third parties not misusing the data.
When a trip or service is sold the traveller will have to authorise that their data will be shared with third parties and companies will need to be able to document the safety of the data with the third party. In addition, we all know that more often than not a fourth and fifth party are being used in relation to a trip.
The customer/traveller can demand:
- You cancel the information after being used for a single trip
- To view what data you have about him/her/family
- You only receive limited data
- You cannot transfer the data to another legal entity without consent from the customer
- If you wish to use, transfer or sell data you must get the authorisation from the customer
- They can forbid the usage of the data for any purpose
Some of the corporate travel issues
The GDSs are based on old infrastructure surrounded by a large amount of new software that enables them to handle everything from booking, issuing, accounting, check-in and luggage handling. Recently we saw a report on GDS safety questioning the safety of this passenger data. With the help of Edward Snowden, we know that a lot of this data ends up in government-controlled databases.
Airlines' existing structures will be challenged in relation to passenger personal data and what is collected in loyalty programmes.
Hotels need to discuss with authorities if the data that is passed onto them or stored is allowed by the traveller/guest.
From a more practical point of view:
- Any breach must be reported to the data authorities and the customer within 72 hours after identifying it
- Data needs to be documented including how it is stored, why you have it, who has access and why
- With all the hacking happening, companies will need to invest in more protective software beyond just the firewall. Even products like Codesealer that sniff out attacks and protect the browser connection may be mandatory.
In addition, the law demands that companies that use personal data as their primary business need to appoint a data protection officer (DPO) who is registered to fight cybercrime. Authorities mention hospitals and insurance companies as examples, but I think companies that have their own app are included, which would include most airlines, TMCs and travel providers. DPOs will ensure that:
- Companies get the right authorisation from employees, customers and other third party entities
- Ensure that registering, processes and systems offer enough protection
- Keep updating the systems and processes and include the mobility infrastructure as well
Next steps
Buyers: Find out how you will handle the requirements towards your employees and suppliers.
TMC and intermediaries: Ensure building processes, documents and software are able to comply not only with travellers but also suppliers.
Suppliers (especially with apps and loyalty programmes): May need to employ a DPO.
There is no doubt this will add to every company's cost and eventually the customer will have to pay. This article has only covered the basics and not even looked at areas such as social media and the way users freely share their personal data. Those will also need another focus and changes.