Business Travel News EuropeBusiness Travel News Europe
Business Travel News Europe
  • NEWSOpen Menu
    • Accommodation
    • Air Travel
    • Ground Transport
    • Management
    • Meetings
    • On the Move
    • Payment & Expense
    • Technology
    • TMC & Distribution
    • Travel Procurement
    • Recent Issues
  • FEATURESOpen Menu
    • View All Features
  • CONVERSATIONSOpen Menu
    • Interviews
    • Q&As
    • Columnists
    • Podcasts
    • VIEW ALL CONVERSATIONS
  • RESOURCESOpen Menu
    • Business Travel Rebooted
    • Corporate Travel Index Europe
    • New Horizons – the 2022 sourcing guide
    • Online booking tools – the essential guide
    • The 2022 Hotlist
    • Safety First
    • Travel entry requirements
    • Sustaining the Future
    • Europe's Leading TMCs 2021
    • BTN Europe podcasts
    • Wheels in Motion
    • BTSEKO - CEO Interviews
  • EVENTSOpen Menu
    • Webinars
    • Business Travel Show Europe
    • Business Travel Awards Europe
    • Business Travel Accommodation Summit
    • Business Travel Tech Talk
    • Global Travel Risk Summit
    • Strategic Meetings Summit
    • VIEW ALL EVENTS
  • SUBSCRIBE
  • NEWSOpen Menu
    • Accommodation
    • Air Travel
    • Ground Transport
    • Management
    • Meetings
    • On the Move
    • Payment & Expense
    • Technology
    • TMC & Distribution
    • Travel Procurement
    • Recent Issues
  • FEATURESOpen Menu
    • View All Features
  • CONVERSATIONSOpen Menu
    • Interviews
    • Q&As
    • Columnists
    • Podcasts
    • VIEW ALL CONVERSATIONS
  • RESOURCESOpen Menu
    • Business Travel Rebooted
    • Corporate Travel Index Europe
    • New Horizons – the 2022 sourcing guide
    • Online booking tools – the essential guide
    • The 2022 Hotlist
    • Safety First
    • Travel entry requirements
    • Sustaining the Future
    • Europe's Leading TMCs 2021
    • BTN Europe podcasts
    • Wheels in Motion
    • BTSEKO - CEO Interviews
  • EVENTSOpen Menu
    • Webinars
    • Business Travel Show Europe
    • Business Travel Awards Europe
    • Business Travel Accommodation Summit
    • Business Travel Tech Talk
    • Global Travel Risk Summit
    • Strategic Meetings Summit
    • VIEW ALL EVENTS
  • SUBSCRIBE
Business Travel News Europe
  • Business Travel News Europe on Twitter
  • BTN Europe on LinkedIn
  • BTN Europe on Facebook
  • NEWS
    • Accommodation
    • Air Travel
    • Ground Transport
    • Management
    • Meetings
    • On the Move
    • Payment & Expense
    • Technology
    • TMC & Distribution
    • Travel Procurement
    • Recent Issues
    SubscribeBTN Europe NewsletterBTN Europe Magazine
  • FEATURES
    • View All Features
    credit cardsPayback on the cards?
    Fidelity takes return to travel step by stepFidelity takes return to travel step by step
    Six signs of business travel recoverySix signs of business travel recovery

  • CONVERSATIONS
    • Interviews
    • Q&As
    • Columnists
    • Podcasts
    • VIEW ALL CONVERSATIONS
    Carol Fergus FidelityTwo minutes with... Carol Fergus
    John Sturino, vice president of product and technology, EgenciaWhy 2022 will be the breakthrough year for virtual cards
    Deborah Potts Summit AdvisoryM&As: TMC takeover trend poised to continue
  • RESOURCES
    • Business Travel Rebooted
    • Corporate Travel Index Europe
    • New Horizons – the 2022 sourcing guide
    • Online booking tools – the essential guide
    • The 2022 Hotlist
    • Safety First
    • Travel entry requirements
    • Sustaining the Future
    • Europe's Leading TMCs 2021
    • BTN Europe podcasts
    • Wheels in Motion
    • BTSEKO - CEO Interviews
  • EVENTS
    • Webinars
    • Business Travel Show Europe
    • Business Travel Awards Europe
    • Business Travel Accommodation Summit
    • Business Travel Tech Talk
    • Global Travel Risk Summit
    • Strategic Meetings Summit
    • VIEW ALL EVENTS
    Business Travel Show Europe

    Business Travel Show Europe is the place where

    Business Travel Accommodation Summit Europe

    September 2022, Virtual

    Entertainment Travel Summit London

    September 29 2022, Virtual

  • SUBSCRIBE

GDPR Blocking & Tackling

By Elizabeth West / 6 March 2018 / Contact Reporter
Share

International Data Transfers

The EU recognizes only a handful of countries as approved jurisdictions to which to transfer data, and some companies have built data centers in the EU to avoid international transfers. Companies transferring data to non-approved jurisdictions, via the cloud or any other means, must comply with the General Data Protection Regulation. They have two immediate alternatives:

Corporate Binding Rules: CBRs set requirements for international data transfers within a corporation but not to third parties. The EU Data Protection Authority requires specific content to be included in the data transfers and calls for companies to document and audit policies and procedures. CBRs are permanent and never require reapproval.

Standard Model Clauses: Standard Model Clauses facilitate data transfers to entities outside an organization. The data importer agrees to data security stipulations outlined by the data exporter. Model Clauses exist now, but none are specific to GDPR. Model Clauses are intended for simpler data transfers; companies with large and varying data transfers likely will require another avenue.

Other Frameworks
Approved certification, ad hoc contracts and derogations are all potential frameworks for data transfer under GDPR. An industry code of conduct, as defined in Article 40 of the GDPR legislation, also has caught the attention of some travel players, though an early effort has fizzled. American Express Global Business Travel chief privacy officer Kasey Chappelle is a code of conduct proponent, and she points to industry associations like the Global Business Travel Association and Association of Corporate Travel Executives as potential leaders in that movement. Samantha Simms, an information law attorney who specializes in GDPR issues and data privacy strategy for large multinational organizations, is more skeptical. "There are a huge number of independent but interconnected players [in travel]. Given the wealth of data these organizations handle, it may be that they want to embed GDPR into their organizations and understand their landscape first before they come together to form consensus."

Technically, the European Union’s General Data Protection Regulation became law in 2016. Enforcement will begin May 25, and if the standing-room-only GDPR Masterclass attendance at last month’s Business Travel Show in London was any indicator, travel buyers are under pressure to square their programs with the new regulations.

GDPR replaces the 1995 Data Protection Directive. It defines data rights for EU citizens, wherever they work or engage in commerce around the globe, and it lays out the conditions under which the data of EU citizens can be transferred outside the European Economic Area—the EU plus Iceland, Liechtenstein and Norway—which is a critical component for travel. GDPR requires all companies that interact with EU citizens to inform these individuals about how their personal data is being used, with what other entities their data may be shared and for how long the data is retained. It requires businesses to allow each EU citizen access to his or her data to rectify incorrect information and change permissions on what is shared; it also underscores the “right to be forgotten” and requires that businesses build data privacy and protection into their policies, processes and operations.

Failure to comply will put businesses at risk of incurring heavy fines should regulators determine they are mishandling data and/or willfully failing to report data breaches. Fines top out at 20 million euros or 4 percent of the previous year’s annual revenue, whichever is higher. The U.K. Information Commissioner’s Office, for one, has clarified that GDPR penalties should be levied in individual cases, based on the type of data compromised and the nature of the noncompliance and that GDPR includes a host of remedies, leaving fines as a final recourse.

 GDPR & Travel Management

“Think of the number of touchpoints involved in just one travel itinerary,” said Samantha Simms, a London-based information law attorney and founder of The Information Collective who specializes in GDPR issues and data privacy strategy for large multinational organizations. She rattled off a few: global distribution system, travel management company, online booking tool, payment solution, airline, hotel, car rental company, risk management provider, regulatory entities, rate shopping tools, expense tool, subcontractors for primary vendors, third-party analytics partners, apps like itinerary managers, and sharing economy providers like Uber & Airbnb.

Ensuring GDPR compliance from all those partners rolls up to the travel buyer. “They must determine who is a data controller and who is a data processor in their programs,” said Simms. “Because GDPR defines obligations and liabilities based on those roles, the burning question is whether the travel manager’s company will be the one penalized when something goes wrong,” said Simms.

The data controller is the owner of the data, the entity which defines how the data will be handled by the data processor and with whom that data will be shared. Under GDPR, the data controller is fully liable for damages caused by noncompliant processing unless the controller can prove that it is “not in any way responsible for the event giving rise to the damage,” according to draft guidance on GDPR contracts and liabilities between controllers and processors that the U.K. Information Commissioner’s Office published in September. Data controllers are also responsible for reporting data breaches to appropriate authorities and affected individuals within 72 hours of discovery.

The data processor handles data on behalf of the data owner, or controller, and should handle information only according to the written instructions of the controller. GDPR requires minimum contract terms between the controller and the processor, also referred to as the data processing agreement. These agreements: 

  • assure data confidentiality and require documentation of GDPR-compliant data processes
  • include written consent from the controller to pass data to a subcontractor, also called a subprocessor
  • assure the processor will assist the controller in executing the requirements of GDPR, such as adhering to individual rights requirements to access, correct or delete data and disclosing data breaches to the controller within 72 hours

If the processor acts outside the terms of the written contract, it could be liable for fines. Same for a subprocessor. This is a change from the 1995 legislation, in which controllers were solely liable.

U.K.-based data privacy and cybersecurity firm Covington offers a summary of key GDPR contract and liability on its website.

Digging into Data Protection

Every data processor in the travel program ecosystem requires a risk impact assessment and a data processing agreement. Several major travel partners qualify as data controllers in their own right, easing liability concerns for corporates under GDPR. As with seemingly everything in travel, however, the relationships can get complicated.

Beyond Consent

Actively getting consent at the point of data capture is just one way to justify capturing data. It’s not the only way. In some cases, it’s not even the preferred way. “Relying on consent as a catchall is going to be quite difficult in an employee-employer relationship but also in a traveler-travel provider relationship,” said The Information Collective founder Samantha Simms. GDPR recognizes other data capture justifications: contractual necessity; regulatory compliance; vital interest, literally meaning a life-or-death situation; legitimate interest; and law enforcement. It must be clear at the point of collection, however, why the data is required, how it will be used and how long it will be retained. Sensitive data like race, ethnicity, health issues, disabilities and sexual orientation may be captured only via consent.

Travel suppliers like airlines, hotels and car rental companies are data controllers under GDPR. Travel buyers are not required under the law to nail down these data and liability relationships, not even with preferred partners. Fortunately, transmitting necessary employee data to these partners need not rely on consent from the traveler, as the information is critical to delivering the services that are purchased and in certain instances is required by government entities for regulatory purposes (see Beyond Consent).

Travel management companies are in a murkier position. It’s possible to contract with a TMC as a data processor, according to Radius Travel senior director of information technology and data privacy officer Chris Giordano. However, “the role the TMC takes under GDPR in some ways determines the services they are able to provide. If [a TMC] chooses to be a processor, it could limit what they do as a business,” he said.

Because of this, most TMCs have taken the role of a data controller. “It seems weird for a TMC, which is technically a vendor, to be a data controller,” said American Express Global Business Travel chief privacy officer Kasey Chappelle, but the law allows for co-controller relationships, giving such vendors the same liability obligations as the data owner. “In the normal procurement process, the systems are set up to assume the vendor is a processor, [but] the TMC relationship requires nuance and it has to be looked at from a functional perspective.”

A number of TMC activities put it in the data driver’s seat: policy enforcement, supplier negotiation and program optimization initiatives that TMCs may assume. “Of course, we are a vendor and the corporate calls a certain number of the shots, but we are also directly responsible for calling some of the shots when the data is in our remit,” she said.

Even as a co-controller, Giordano said TMCs need to provide transparency to corporates about data transfer and downstream processors, including global distribution systems, online booking tools, mid-office processors and others. Because TMCs maintain traveler profiles, they could have access to sensitive information like meal preference that reveals ethnicity or health-related issues. Corporates need assurances that traveler profile information is secure and will be handled properly. TMCs also must adhere to breach notification requirements and assist corporates in supporting data rights and access for individual travelers.

Other vendors fall more easily into the data processor category: online booking tools, meeting management tools and expense management systems are good examples. With these, “it’s a matter of methodically going through the list, prioritizing it and going back to basics,” said Simms. “Understand the data inventory flowing to each provider. Make sure you’ve satisfied the transparency requirements about how the data will be used. Define [in the contract] who’s responsible for data privacy and capturing consent if that is required—and how best to capture it.”

Travel’s Embedded Challenges

GDSs could present a particular challenge for travel. It’s a problem because GDS technologies permeate the travel industry, not just for content and ticketing but also as technology partners for TMCs, airlines, hotels and even other technology providers.


We are a vendor and the corporate calls a certain number of the shots, but we are also directly responsible for calling some of the shots when the data is in our remit."

American Express Global Business Travel's Kasey Chappelle

As of 2009, GDS providers have handled data according to an EU Code of Conduct adopted by the European Parliament for computerized reservations systems, and they were considered data controllers under the 1995 Data Protection Directive. A recent article in The Company Dime purported the GDS’s role as controller could change under GDPR. The story quoted an unnamed travel tech data privacy official as saying, “No one really knows, and no one will know until there is enforcement action” under the new regulation. That might not take long.

GDSs facilitated about 60 percent of the 1 billion air tickets purchased in 2015, but they’ve proved to be a weak security link in the travel technology chain. High-profile security breaches at Sabre and Sabre Hospitality Solutions in the past three years have called attention to the issue, as did a late 2016 hackers convention, Chaos Communication Congress, that showed how easy it is to access passenger name record information and that it’s the key to unlocking personal information on travelers in all the major GDS systems. If GDS providers are not considered controllers under GDPR, it could unleash a cascade of issues for partners.

At least for travel buyers, and likely for other partners, Simms is confident that the GDS’s controller role will stay put under GDPR, though she admits it’s complicated because of the number of services and technologies they provide to the industry. “The GDS sits at the heart of the travel ecosystem,” she said, then posed a rhetorical question: “Can we as parties that sit outside that position expect to define how and why the GDS is using data?” 

Rather, Simms believes GDPR offers the industry an opportunity to flip that question. “What we should be looking at, if the GDS is a controller, is why other booking repositories are not,” she said. “Any repository that performs by a factual analysis as a GDS—if you are doing the same thing but with hotel or rail or different content—I would think we should consider a controller. [And] if they are breached, should it not be their responsibility under the GDPR to take necessary actions as a controller rather than reporting back to the large number of subscribers? To date, we haven’t taken a good look underneath the bonnet of data flows within travel. GDPR allows us to take a much closer and detailed look.”

More

SPONSORED CONTENT

Don't let NDC take a backseat in 2022
Don't let NDC take a backseat in 2022By FCM Travel Solutions

Does New Distribution Capability have the power to deliver on new corporate travel priorities and... KEEP READING

  • Most Read
  • Most Shared
  1. Israel drops on-arrival Covid tests for passengers
  2. Study identifies the corporates best tackling air travel emissions
  3. European hotel prices exceed pre-pandemic levels
  4. Air France announces new business class cabin
  5. Gray Dawes adds PSNGR1 to booking tool options
  1. European hotel prices exceed pre-pandemic levels
  2. EU to remove mask mandate advice for air travel
  3. Global airline capacity back to 83 per cent of pre-Covid seats
  4. Travel managers foresee less travel long-term but more responsibilities
  5. Traveldoo put up for sale by Expedia Group
Business Travel News EuropeBusiness Travel News Europe
  • About us
  • Contact us
  • Advertise
  • EDITORIAL CALENDAR
  • Business Travel Show Europe
  • Business Travel News Europe on Twitter
  • BTN Europe on LinkedIn
  • BTN Europe on Facebook
BUSINESS TRAVEL NEWS EUROPE
NORTHSTAR TRAVEL GROUP
Business Travel News
  • About us
  • Contact us
  • Advertise
  • Editorial calendar
  • Editorial guidelines
  • Subscribe to BTN Europe
  • Subscribe to BTN U.S.
  • Subscribe to Travel Procurement
  • Privacy policy
  • Terms & conditions
Northstar Travel Group
  • Corporate travel
  • Business Travel Show
  • Business Travel Awards
  • BTN U.S.
  • The Beat
  • Travel Procurement

  • Travel Technology
  • Travel Tech Show
  • Phocuswire
  • Phocuswright
  • Intelliguide
  • Meetings & incentives
  • M&IT
  • AMI
  • ConventionSource
  • M&IT Awards

  • Retail travel
  • Travel Weekly
  • Travel Pulse

  • Northstar Travel Group
  • View all Northstar brands
BTNGroup
Business Travel News EuropeBusiness Travel NewsTravel ProcurementThe BeatBusiness Travel Show Europe
Northstar Travel Group
Copyright ©2022, Northstar Travel Media Ltd, The Epworth, 25 City Road, London EC1Y 1AA, UK
RRManagement rrtestprocurement