The GDPR Deadline Passed
What do the new regulations mean for your corporate travel program?
The European Union’s General Data Protection Regulation (GDPR), which gives consumers the right to know, understand and consent to the data companies collect about them, will come into full effect on May 25, 2018.
As a result of the new regulation, entities based in an EU member country or those outside the EU that offer goods or services to individuals living in the EU or monitoring their behaviors must comply with the new law or risk being fined up to €20 million or 4 percent of their annual global turnover, whichever is higher.
Under the GDPR, businesses must inform individuals (referred to as “data subjects”) why they are collecting their personal data and disclose other details of their data operations to ensure transparency. Data subjects also have the right to make choices about how their information is used.
GDPR has major implications for travel services, which involve complex data transactions. Each day, personal data, such as names and passport numbers, must be transferred from data subjects to a variety of third parties — i.e., global distribution systems (GDS), travel management companies (TMC) to hotels, airlines, ground transportation providers, online booking tools, etc. Each member of this intricate ecosystem has its own obligation to comply with GDPR and decisions to make about how to keep travelers’ data safe and actions to take if there’s a breach.
It gets even more complicated because GDPR makes a distinction between two types of parties collecting personal data. There are the “data controllers,” the ones directly responsible for deciding how and why data is used, and the “data processors” that carry out the controllers’ instructions.
Because of travel’s complex supply chain, organizations may disagree on their role, but generally the GDS and travel suppliers are seen as controllers, while online booking tools are considered processors.
For example a hotel reservation is made we handoff information to the property who is going to make decisions about how it stores and uses that data and the vendors that it uses to process the data. We can’t tell the hotel not to use those vendors or not to treat the data in a certain way. We can’t negotiate a contract like that with every hotel in the world.
Businesses, which are considered data controllers and thus accountable for their traveling employees’ data, must do their own due diligence to ensure the entirety of their travel program complies with GDPR. A part of that may be talking to their TMC and their suppliers about how they handle their travelers’ data and verifying they are meeting the GPDR requirements.
Not only companies based in EU member countries must comply with the new rules. Under Article 3 of the GDPR, any company in the world is subject to the new law if it processes personal data of an individual (aka “data subject”) who resides in the EU when the data is accessed. That applies to businesses that offer goods or services to EU citizens or monitor their behavior.
Firms of any size found to be noncompliant can be fined up to €20 million or 4 percent of its annual global turnover, whichever is higher.
To help companies avoid getting hit with a penalty, here are some steps to take to work toward compliance.
Understand what “personal data” entails
To comply with the GDPR, it’s first important to understand what “personal data” actually means. Under the scope of the new regulation, personal data is any information that can directly or indirectly identify a data subject. In addition to information traditionally considered to be identifying (for example, a name, email address or passport number), GDPR clarifies that unique identifiers like IP address or a mobile device’s ID are also personal data.
Create a data inventory
After understanding what constitutes personal data, the next step is to create a complete and accurate data inventory that determines where personal data resides, how it’s secured and if it’s been obtained and being used meeting the GDPR guidelines.
Some questions to consider when compiling the information: How and why do you collect and store personal data? How long do you retain it? What security measures are in place to protect data? Do you have the necessary consents required by the GDPR and were data subjects informed of the specific purpose for which you’ll be using their data?
The principle of “accountability” is the most significant change under the GDPR. Companies mustn’t simply comply with the new law — they need to be able to prove compliance.
All regulated companies will have to maintain a written report with the details of all their data processing activities, known as a “record of processing.”
Companies working to become GDPR compliant should focus on developing a robust accountability framework that allows them to document, measure and communicate data processes, including keeping records of all personal data, proving consent was given by data subjects, showing what the data is being used for and how it’s being protected.
Ensure transparent data processing
Businesses also must ensure they are effectively and transparently communicating their data processing activities to data subjects. That includes having a complete, concise and easy-to-read privacy notice so consumers can understand how their data will be used.
The privacy notice also must describe how personal data may be transferred within the business, to third parties and to other jurisdictions, and how data subjects can exercise their rights.
In addition to a transparent privacy notice, GDPR requires that businesses make sure data subjects understand how their data is used by building privacy requirements into their products and services.
Keep international transfers compliant
Firms will need to understand the GDPR’s strict requirements around international transfers, especially for services like travel that cross borders. EU data must continue to be protected to an EU standard anywhere in the world where it is stored, accessed or processed, both within the business or shared with third-party processors.
Appoint a data protection officer
Under the GDPR, many companies will need to appoint a data protection officer (DPO) who is responsible for overseeing the business’s data management systems and monitoring compliance with the GDPR. Some firms will outsource this role to a qualified external expert.
Effectively triaging data breaches
The new law also requires mandatory breach notifications when an individual’s data is compromised. The relevant country’s data protection regulator must be notified within 72 hours of the firm becoming aware of the breach. In some cases, the data subjects also must be informed.
To meet this obligation, businesses need to develop a system that lets them identify and prioritize potential breaches of privacy as well as triage complaints and reports.
Effectively manage data protection risk in the supply chain
Under the new regulation, companies also will need robust risk management processes in place for managing third-party relationships and assessing the risks to which they’re exposed.
Any business with European partners must understand its data protection obligations, especially any contractual obligations they apply to the way personal data is handled. European businesses will require its partners operating outside the EU to put new mechanisms in place to ensure any personal data transferred between them meets the GDPR’s requirements.
Partner with GDPR-ready suppliers
Businesses must have confidence that other firms to which they transfer personal data — including travel partners that handle sensitive data — also meet global privacy regulations.