International Data Transfers
The EU recognizes only a handful of countries as approved
jurisdictions to which to transfer data, and some companies have built data
centers in the EU to avoid international transfers. Companies transferring data
to non-approved jurisdictions, via the cloud or any other means, must comply
with the General Data Protection Regulation. They have two immediate
alternatives:
Corporate Binding Rules: CBRs set requirements for
international data transfers within a corporation but not to third parties. The
EU Data Protection Authority requires specific content to be included in the
data transfers and calls for companies to document and audit policies and
procedures. CBRs are permanent and never require reapproval.
Standard Model Clauses: Standard Model Clauses
facilitate data transfers to entities outside an organization. The data
importer agrees to data security stipulations outlined by the data exporter.
Model Clauses exist now, but none are specific to GDPR. Model Clauses are
intended for simpler data transfers; companies with large and varying data
transfers likely will require another avenue.
Other Frameworks
Approved certification, ad hoc contracts and
derogations are all potential frameworks for data transfer under GDPR. An
industry code of conduct, as defined in Article 40 of the GDPR legislation,
also has caught the attention of some travel players, though an early effort
has fizzled. American Express Global Business Travel chief privacy officer
Kasey Chappelle is a code of conduct proponent, and she points to industry
associations like the Global Business Travel Association and Association of
Corporate Travel Executives as potential leaders in that movement. Samantha
Simms, an information law attorney who specializes in GDPR issues and data
privacy strategy for large multinational organizations, is more skeptical. "There
are a huge number of independent but interconnected players [in travel]. Given
the wealth of data these organizations handle, it may be that they want to
embed GDPR into their organizations and understand their landscape first before
they come together to form consensus."
Technically, the
European Union’s General Data Protection Regulation became law in 2016.
Enforcement will begin May 25, and if the standing-room-only GDPR Masterclass
attendance at last month’s Business Travel Show in London was any indicator,
travel buyers are under pressure to square their programs with the new
regulations.
GDPR
replaces the 1995 Data Protection Directive. It defines data rights for EU
citizens, wherever they work or engage in commerce around the globe, and it
lays out the conditions under which the data of EU citizens can be transferred
outside the European Economic Area—the EU plus Iceland, Liechtenstein and
Norway—which is a critical component for travel. GDPR requires all companies that interact with EU citizens to inform these individuals about how
their personal data is being used, with what other entities their data may be
shared and for how long the data is retained. It requires businesses to allow
each EU citizen access to his or her data to rectify incorrect information and
change permissions on what is shared; it also underscores the “right to be
forgotten” and requires that businesses build data privacy and protection into
their policies, processes and operations.
Failure
to comply will put businesses at risk of incurring heavy fines should
regulators determine they are mishandling data and/or willfully failing to
report data breaches. Fines top out at 20 million euros or 4 percent of the
previous year’s annual revenue, whichever is higher. The U.K. Information Commissioner’s Office, for one, has clarified that GDPR penalties should be
levied in individual cases, based on the type of data compromised and the
nature of the noncompliance and that GDPR includes a host of remedies, leaving
fines as a final recourse.
GDPR & Travel Management
“Think of the
number of touchpoints involved in just one travel itinerary,” said Samantha
Simms, a London-based information law attorney and founder of The Information
Collective who specializes in GDPR issues and data privacy strategy for large
multinational organizations. She rattled off a few: global distribution system, travel management company, online booking tool, payment solution, airline, hotel, car rental company, risk management provider, regulatory entities, rate shopping tools, expense tool, subcontractors for primary vendors, third-party analytics partners, apps like itinerary managers, and sharing economy providers like
Uber & Airbnb.
Ensuring
GDPR compliance from all those partners rolls up to the travel buyer. “They
must determine who is a data controller and who is a data processor in their
programs,” said Simms. “Because GDPR defines obligations and liabilities based
on those roles, the burning question is whether the travel manager’s company
will be the one penalized when something goes wrong,” said Simms.
The
data controller is the owner of the data, the entity which defines how the data
will be handled by the data processor and with whom that data will be shared.
Under GDPR, the data controller is fully liable for damages caused by
noncompliant processing unless the controller can prove that it is “not in any
way responsible for the event giving rise to the damage,” according to draft
guidance on GDPR contracts and liabilities between controllers and processors
that the U.K. Information Commissioner’s Office published in September. Data
controllers are also responsible for reporting data breaches to appropriate
authorities and affected individuals within 72 hours of discovery.
The
data processor handles data on behalf of the data owner, or controller, and
should handle information only according to the written instructions of the
controller. GDPR requires minimum contract terms between the controller and the
processor, also referred to as the data processing agreement. These agreements:
- assure data confidentiality and require documentation of GDPR-compliant data
processes
- include written consent from the controller to pass data to a subcontractor,
also called a subprocessor
- assure the processor will assist the controller in executing the requirements
of GDPR, such as adhering to individual rights requirements to access, correct
or delete data and disclosing data breaches to the controller within 72 hours
If
the processor acts outside the terms of the written contract, it could be
liable for fines. Same for a subprocessor. This is a change from the 1995
legislation, in which controllers were solely liable.
U.K.-based data privacy and cybersecurity firm
Covington offers a summary of key GDPR contract and liability on its website.
Digging into Data Protection
Every data processor
in the travel program ecosystem requires a risk impact assessment and a data
processing agreement. Several major travel partners qualify as data controllers
in their own right, easing liability concerns for corporates under GDPR. As
with seemingly everything in travel, however, the relationships can get
complicated.
Beyond Consent
Actively getting consent at the point of data
capture is just one way to justify capturing data. It’s not the only way. In
some cases, it’s not even the preferred way. “Relying on consent as a catchall
is going to be quite difficult in an employee-employer relationship but also in
a traveler-travel provider relationship,” said The Information Collective
founder Samantha Simms. GDPR recognizes other data capture justifications:
contractual necessity; regulatory compliance; vital interest, literally meaning
a life-or-death situation; legitimate interest; and law enforcement. It must be
clear at the point of collection, however, why the data is required, how it
will be used and how long it will be retained. Sensitive data like race, ethnicity,
health issues, disabilities and sexual orientation may be captured only via
consent.
Travel
suppliers like airlines, hotels and car rental companies are data controllers
under GDPR. Travel buyers are not required under the law to nail down these
data and liability relationships, not even with preferred partners.
Fortunately, transmitting necessary employee data to these partners need not
rely on consent from the traveler, as the information is critical to delivering
the services that are purchased and in certain instances is required by
government entities for regulatory purposes (see Beyond Consent).
Travel
management companies are in a murkier position. It’s possible to contract with
a TMC as a data processor, according to Radius Travel senior director of
information technology and data privacy officer Chris Giordano. However, “the
role the TMC takes under GDPR in some ways determines the services they are
able to provide. If [a TMC] chooses to be a processor, it could limit what they
do as a business,” he said.
Because
of this, most TMCs have taken the role of a data controller. “It seems weird
for a TMC, which is technically a vendor, to be a data controller,” said
American Express Global Business Travel chief privacy officer Kasey Chappelle,
but the law allows for co-controller relationships, giving such vendors the
same liability obligations as the data owner. “In the normal procurement
process, the systems are set up to assume the vendor is a processor, [but] the
TMC relationship requires nuance and it has to be looked at from a functional
perspective.”
A
number of TMC activities put it in the data driver’s seat: policy enforcement,
supplier negotiation and program optimization initiatives that TMCs may assume.
“Of course, we are a vendor and the corporate calls a certain number of the
shots, but we are also directly responsible for calling some of the shots when
the data is in our remit,” she said.
Even
as a co-controller, Giordano said TMCs need to provide transparency to
corporates about data transfer and downstream processors, including global
distribution systems, online booking tools, mid-office processors and others.
Because TMCs maintain traveler profiles, they could have access to sensitive
information like meal preference that reveals ethnicity or health-related issues.
Corporates need assurances that traveler profile information is secure and will
be handled properly. TMCs also must adhere to breach notification requirements
and assist corporates in supporting data rights and access for individual
travelers.
Other
vendors fall more easily into the data processor category: online booking
tools, meeting management tools and expense management systems are good
examples. With these, “it’s a matter of methodically going through the list,
prioritizing it and going back to basics,” said Simms. “Understand the data
inventory flowing to each provider. Make sure you’ve satisfied the transparency
requirements about how the data will be used. Define [in the contract] who’s
responsible for data privacy and capturing consent if that is required—and how
best to capture it.”
Travel’s Embedded Challenges
GDSs could present
a particular challenge for travel. It’s a problem because GDS technologies
permeate the travel industry, not just for content and ticketing but also as
technology partners for TMCs, airlines, hotels and even other technology
providers.
As
of 2009, GDS providers have handled data according to an EU Code of Conduct
adopted by the European Parliament for computerized reservations systems, and
they were considered data controllers under the 1995 Data Protection Directive.
A recent article in The Company Dime purported the GDS’s role as controller
could change under GDPR. The story quoted an unnamed travel tech data privacy
official as saying, “No one really knows, and no one will know until there is
enforcement action” under the new regulation. That might not take long.
GDSs
facilitated about 60 percent of the 1 billion air tickets purchased in 2015,
but they’ve proved to be a weak
security link in the travel technology chain. High-profile security breaches at
Sabre and Sabre Hospitality Solutions in the past three years have called attention
to the issue, as did a late 2016 hackers convention, Chaos Communication
Congress, that showed how easy it is to access passenger name record
information and that it’s the key to unlocking personal information on
travelers in all the major GDS systems. If GDS providers are not considered
controllers under GDPR, it could unleash a cascade of issues for partners.
At
least for travel buyers, and likely for other partners, Simms is confident that
the GDS’s controller role will stay put under GDPR, though she admits it’s
complicated because of the number of services and technologies they provide to
the industry. “The GDS sits at the heart of the travel ecosystem,” she said,
then posed a rhetorical question: “Can we as parties that sit outside that position
expect to define how and why the GDS is using data?”
Rather, Simms believes GDPR offers the industry an
opportunity to flip that question. “What we should be looking at, if the GDS is
a controller, is why other booking repositories are not,” she said. “Any
repository that performs by a factual analysis as a GDS—if you are doing the
same thing but with hotel or rail or different content—I would think we should
consider a controller. [And] if they are breached, should it not be their
responsibility under the GDPR to take necessary actions as a controller rather
than reporting back to the large number of subscribers? To date, we haven’t
taken a good look underneath the bonnet of data flows within travel. GDPR
allows us to take a much closer and detailed look.”