Companies with European Union citizens among their workforce
have until May 2018 to ensure their travel programs comply with a new data protection
regime that punishes transgressors more harshly than previous legislation. The General
Data Protection Regulation requires businesses to take responsibility for understanding
where personal data about their employees is held and verifying that the information
is protected in line with European privacy standards, which are among the strictest
in the world.
"Wherever data of a person from the EU is processed, it
will need to comply," said Marta Dunphy-Moriel, an associate with London-based
law firm Fieldfisher. "One of the key principles GDPR puts in place is accountability.
Travel managers need to know what is happening to their data at every stage. That
was previously best practice, but it's now a statutory requirement." Putting
heads in the sand is therefore "not an option" for travel managers, Dunphy-Moriel
continued. "It is better to get started now rather than wait until you are
exposed to a massive fine." Companies can be penalized up to 4 percent of their
global revenue for breaching the regulation.
What's Different About
GDPR?
According to Soeren Schoedt—managing director of Copenhagen-based
purchasing consortium TravelpoolEurope, which manages travel for 30-plus companies
in 27 countries—"The rules are more or less the same, but what is new is that
they will be policed more and businesses will face higher fines for noncompliance.
We must show we have done everything we can."
The rules to which Schoedt refers govern issues like how data
is secured, how long it is retained, who has access to it and, in some cases, whether
the data subjects, the travelers, have consented for their data to be held and processed.
Tracking and securing traveler data is particularly difficult because there is so
much of it and it is held by so many different vendors. On the other hand, said
Schoedt, he found only two circumstances where traveler records include so-called
"sensitive" personal data that demands the very highest levels of protection.
One is airline meal selections, which may reveal a passenger's ethnicity. The other
is freeform notes added to a traveler profile that indicate a health issue that
requires special treatment by the supplier—use of a wheelchair, for example.
Under European data protection principles, the greatest responsibility
for ensuring data protection compliance lies with the data "controller,"
which makes decisions and gives orders about how to handle data. Where companies
have a written contract with a travel management company, the TMC is usually considered
to be the controller. "GDPR provides specific requirements for companies that
control or process personal information," said Carlson Wagonlit Travel global
privacy officer Samantha Simms. "TMCs will now need to demonstrate accountability
for the personal information. Ultimately, responsibility to manage and protect personal
data rests with the TMC."
However, Dieter Koeve, senior partner with Koeve + Koeve, the
law firm that advises German travel management association VDR, takes a more nuanced
view. He believes GDPR implicitly prevents clients from hiding behind their nominated
data controllers if laws are breached. "Companies need to be more aware of
what is happening to their employees' data," said Koeve. You can't just assume
that Lufthansa and United Airlines will handle your data correctly. We have a new
age regarding data protection in which you are responsible, even if you are not
the data controller."
Getting Ready for GDPR
Almost all travel managers lack competence to handle this issue
alone. They need to talk to their legal teams and, above all, their company data
protection officers; certain businesses—such as those that do large-scale, systematic
monitoring of individuals—are obliged to appoint data protection officers under
the GDPR. Travel managers should approach these officers, said Dunphy-Moriel, and
tell them: "This is what we process. This is what we need it for. This is who
we share it with. These are our contracts. Are there any clauses we need to renegotiate
and any other changes we need to make?" Schoedt has already been through that
process with his company's lawyers. They asked him to group the different kinds
of suppliers to which personal data is sent. They totaled 17 groups, such as airlines,
credit card issuers and global distribution systems.
Once TravelpoolEurope understood its data flow better, it introduced
a series of compliance measures. It beefed up IT security, ensuring encryption of
all personal data. It also created two templates to address consent issues. It has
inserted one into its travel policies to explain how travel suppliers deploy employee
data. The other is a page with similar information for the website that the travelers
use. The page pops up the first time travelers log on, and the website asks them
to approve it.
Issues to Watch
BCG head of global travel Gehan Colliander has started working
through the ramifications of GDPR with her firm's legal team. In her view, travel
managers need to give three matters special attention:
Profiling. Normal data can usually be processed without
consent, but "for sensitive data, you need explicit consent and additional
security measures," said Dunphy-Moriel. "Or you could build a case that
the data is not sensitive. You need to think about it and have a position."
However, while traveler profiling based on ethinicity or other
sensitive data is clearly a no-no, Colliander's discussions with her company's lawyers
raised uncertainties about whether any kind of profile-based marketing is compliant
with the regulation. "Is it legal to push certain fares to a traveler depending
on their travel profile?" asks Colliander, who also is president of GBTA Europe.
"Marketing based on profiling is not illegal so long as there is consent, but
how suppliers obtain that consent is unclear. Will suppliers be seeking to obtain
the consent of every traveler, and, if so, why are they doing that when they should
be directing marketing to the corporate client instead? Absolutely there are question
marks over supplier marketing. Targeted marketing does appear in the directive.
There are restrictions on data processing and decisions based on that processing,
to the extent that this could be considered profiling," said Colliander.
This gray area is exactly what persuaded U.K. TMC Norad Travel
Group to pause its consideration of introducing chatbot booking technology. "GDPR
is all about explicit consent and an individual's right and a legal basis for processing
that data," said CEO Mick Gibbs. "Who owns the artificial intelligence
inside a robot?"
Vendor Certification. Suppliers need to confirm they are
compliant with GDPR, ensuring, for example, that they will provide immediate notification
in the event of a breach or that they will delete data as soon as they are notified
an employee no longer works for a client company. Colliander's legal team has advised
her that suppliers must sign a contractual assurance that they are compliant with
BCG's 15-page data processing agreement.
The problem, according to Schoedt, is that "some vendors
are prepared and some are not. In the EU, they are knowledgeable about the situation
and have timetabled their preparations. Outside the EU, they don't know how to address
it. We had a contract with a U.S.-based car rental company that went back and forth
with the lawyers for months because they didn't understand what we were asking for."
Plenty of time is needed, therefore, to ensure all suppliers
will be compliant by the May 2018 deadline. An example of just how much work that
requires: "Now that we are a year away from implementation, we have a project
team working on ensuring compliance with the specific details of GDPR," said
CWT's Simms. "Key areas currently being addressed include an updated privacy
impact assessment framework; updating our privacy notices and mechanisms for obtaining
consent; refreshing our approach to handling questions from travelers on access,
correction and deletion of information; and formally appointing a data protection
officer."
Crossborder Data Transfer. Only a small number of countries
and territories outside the European Economic Area—which encompasses the EU, Iceland,
Norway and Liechtenstein—are deemed by the EU to offer adequate data protection:
Andorra, Argentina, Canada, the Faroe Islands, Guernsey, the Isle of Man, Israel,
Jersey, New Zealand, Switzerland and Uruguay. The GDPR permits data transfer to
countries with inadequate protection so long as approved mitigating measures are
taken.
One of the most common mitigating actions, the one adopted by
TravelpoolEurope, is to draft model contractual clauses, also known as standard
contractual clauses, that leave a supplier in breach of contract if it does not
protect transferred data to the same standard as required within the EU. Another
option is Binding Corporate Rules in which a multinational company provides evidence
to an EU member state's data protection authority that it has taken steps to ensure
transfer compliantly.
For the U.S. specifically, there is also the Privacy Shield framework,
although some European companies are becoming nervous about transferring employee
data across the Atlantic and instead are insisting that U.S. service providers keep
information within the EU.
Though these principles seem straightforward, Colliander
and her legal team are uncovering questions around which data requires compliant
treatment for crossborder transfer. "Treatment of non-EU citizens' data is
still not clear," she said.