< PrevNext > Travel Data Protection Will Turn into Opportunities By American Express Global Business Travel chief privacy officer & VP of commercial compliance Kasey Chappelle / 29 January 2018 Share Personal data makes business travel possible. It can also make business travel smarter and faster. Data, handled effectively and appropriately, can bring down costs, increase compliance with laws and policies and keep travelers happy and safe. The European Union’s General Data Protection Regulation, coming into force this May, aims to update how personal data is handled and shared. It has a broader scope than the law it replaces, so any company handling EU data must pay close attention to this shift. Travel is complicated, and business travel involves high-risk data. A travel transaction isn’t a simple data flow. It involves many different entities located around the world. Business travel is increasingly driven by data-powered consumer technologies that can cause privacy problems if they are not handled carefully. Data Awareness Will Lead to Opportunities: Smart companies are treating GDPR compliance as an opportunity rather than a risk. Here’s one example: The law requires companies to maintain a record of data-processing activities. Some companies will have a compliance analyst update a spreadsheet as business processes change. Others will take this opportunity to create a data inventory, forming the basis of a data-governance program that meets GDPR obligations but also furthers business goals for data quality and accuracy. That will reduce errors and power better client and traveler services. In 2018, as GDPR forces companies to become more rigorous about charting and monitoring their data, it will drive better business practices and even new opportunities. Dialogue Will Create Clarity: Data protection law divides organizations into controllers and processors. The former are directly responsible for data; the latter process data only on the explicit instruction of a controller. The travel buyer, global distribution system and travel supplier by law are controllers. Travel management companies take differing positions, but most provide services complex enough to qualify as a data controller and they will offer controller compliance to clients. Those TMCs take on the responsibility—and the liability—of data protection compliance. That can lift the GDPR burden from travel managers significantly.Still, travel managers need to educate internal stakeholders like procurement and compliance departments that travel programs are different. They may already have had to explain to their lawyers why a contract can’t be—and doesn’t need to be—executed with every potential hotel, airline and ground transport company around the world. This task can be made easier through industry dialogue and standardization. Travel industry associations have started to share explanations of complex data protection issues specific to travel, such as proper treatment of meal preferences and disability assistance requests, and legal analysis of international travel booking transfers. Further, they can align on technology solutions and sponsor industry codes of conduct to simplify compliance and ensure data is protected across the travel transaction. Breach Notifications Will Drive Security Practices: Cybercriminals increasingly target vulnerabilities in the travel ecosystem. Travel companies must pay close attention to how they secure the valuable data they handle. GDPR doesn’t change that; it does, however, impose new obligations on companies that experience breaches. Breach notification laws, active in the U.S. and a few other countries, have forced companies to pay closer attention to security programs and their responsibility to the public when breaches are uncovered. GDPR will have a similar effect for EU citizens. Breach announcements will increase dramatically in 2018, and companies will be forced to improve their incident response times and formalize their protocols.