What GDPR means for the travel industry

White Papers 17 May 2018

WHAT IS GDPR?

The General Data Protection Regulation (GDPR) is being described as the most important change in data privacy regulation in 20 years. The legislation will have a major effect on how companies that operate in the European Union manage their data and also impact the global travel industry.

LEGISLATION A LONG TIME COMING

After four years of preparation and debate the General Data Protection Regulation (GDPR) was approved by the EU Parliament on 14 April 2016 with an enforcement date of 25 May 2018.

From this date, companies face strict fines for not complying with the standards set by the GDPR, which provides greater predictability and efficiency for organisations that do business in the European Union (EU) and offers residents increased data protection rights.

HOW GDPR HELPS INDIVIDUALS

GDPR is designed to give individuals better control over their personal data and allow them to manage their consent. Personal data is defined as any information relating to an identified or identifiable natural person, and can include online identifiers, such as IP addresses and cookies. As advised by IBM, it can also include information such as physical, physiological, genetic, mental, economic, cultural or social identities that can be traced back to a specific individual.

Learn more about GDPR and rules for businesses and organisations on the European Union’s website.

WHAT DOES IT MEAN FOR YOUR COMPANY?

From 25 May 2018, businesses of any size may need to comply with the GDPR if they have an establishment in the European Union (EU), if they offer goods and services in the EU, or if they monitor the behaviours of individuals in the EU.

BREAKING DOWN GDPR

GDPR identifies three distinct categories over which it has power:

  • A Data Subject is a natural person whose personal data is processed by a controller or processor.
  • A Data Processor is the entity that processes data on behalf of the Data Controller.
  • A Data Controller is the entity that determines the purposes, conditions and means of the processing of personal data.

Data Processors will be subject to specific legal obligations and liabilities including the requirement to maintain records of personal data and processing activities. Data Controllers are not relieved of their obligations where a processor is involved but remain subject to further obligations to ensure their contracts with processors are GDPR-compliant.

WHAT DOES GDPR MEAN FOR YOU?

In practical terms, travel program managers and suppliers alike will need to know what data they hold on their travellers, why they’re holding it and for what purpose.

As a result, companies could rethink their strategies to mine data from multiple, disparate sources, whilst
initiatives to provide more choice in corporate travel programs based on travellers’ personal preferences, could be affected. At the very least GDPR will bring greater complexity and add a new dimension to compliance monitoring.

“GDPR drives a data strategy which asks organisations to consider the right data, the right context and to do so in a way that is ethical, compliant and safeguards personal data as a fundamental human right.”

Buying Business Travel, 2017

THE IMPACT ON THE TRAVEL INDUSTRY

Despite GDPR having been four years in the making, travel industry associations have been slow to establish their position on GDPR. The Association of Corporate Travel Executives (ACTE) reached out to its membership “to better understand how the GDPR is directly affecting them and the steps they’re taking to implement it, as well as provide a platform for suppliers and travel executives to share dialogue, knowledge and best practices in a complicated international regulatory environment.”

GDPR also includes a ‘profiling’ regulation which requires organisations to inform consumers if profiling is taking place. Consider the number of times a TMC might update a regular traveller’s profile during the course of a year and you get an idea of the challenges this will create for TMCs who are banking on collecting a lot of data to personalise services.

THE EMERGENCE OF DPOS

GDPR could also see the emergence of a new stakeholder in many companies. The boardroom could become very crowded once Procurement, HR, and IT are joined by a new army of Data Protection Officers (DPOs).

"Over 75,000

DPOs will be needed worldwide to police the GDPR - 28,000 in Europe and the US alone."

International Association of Privacy Professionals

WHAT ISSUES ARE RAISED BY THE NEW LEGISLATION?

HOW WELL PREPARED ARE WE ALL?

Travel Management Companies (TMCs) are used to working with clients whose businesses demand total confidentiality and robust security. GDPR simply formalises the responsibilities many global TMCs, including FCM Travel Solutions, have been practicing for years. Many organisations already have the processes and systems in place to give their clients the required comfort that their data is in good hands.

KEY CONCERNS FOR ORGANISATIONS

Associations and suppliers who have already fallen victim to data breaches as a result of hacking will be especially nervous. Cybersecurity attackers are becoming more and more adept at affecting more systems and are unlikely to be restricted in their reach.

Businesses were the target of 40% of cyber attacks in 2016. Under the new legislation, a business could be fined €20 million or 4% of turnover – whichever is the greater – for a data privacy breach through loss or hacking.

As with anti-corruption and Duty of Care legislation, the companies that regard the new rules as simply an extension of business best practice, or common sense, will prevail.

WHAT HAPPENS NEXT?

"Businesses were the target of 40% of cyber attacks in 2016. Over 200,000 computers in 150 countries were affected by the WannaCry malware in March 2017 including FedEx, Britain’s National Health Service, and Spanish telecom giant Telefónica."

John DiGiacomo,Revision Legal

The onus is on airlines, hotel and car rental companies, train operators and payment card providers to ensure that there processes are fully compliant, and to make that compliance transparent. For everyone in the supply chain, data privacy is as much about brand and corporate reputation.

The long-term implications of GDPR and its international offspring may also be positive. Companies’ data strategies could become simpler and more streamlined as they clarify their objectives and focus on mining essential data only.

The regulation won’t prevent brands from learning more about their customers and employees and using that knowledge to hone their products and policies. They are just going to have to be smarter in the ways they go about it, focusing only on the relevant. The alternative could be rather costly.

If you would like more information about what FCM is doing in relation to GDPR, and the protections that we have in place visit our Trust and Compliance page.

 

PDF icon fcm_cn_white_paper_what_gdpr_means_for_the_travel_industry.pdf