Kasey Chappelle, chief privacy officer at American Express Global Business Travel explains what the upcoming GDPR really means for the business travel industry
Without sharing personal details, a business traveller won’t make it far from home. Essential information, including name, passport number, birth date and much more, is shared between companies in a complex ecosystem. It may go from travel buyer to online booking tool to travel management company (TMC) to global distribution system (GDS) to travel supplier, with many subcontractors in between. But who is responsible if, somewhere between booking and boarding, the data is misused or breached?
That’s one question the business travel industry will have to consider by May 2018, when the new EU General Data Protection Regulation (GDPR) and its strict penalties and higher compliance expectations come into play. Data protection laws have applied since the Data Protection Directive came into force in the 1990s. GDPR is data protection 2.0, closing gaps that emerged since the directive was enacted. What does it change, and why does it matter for business travel?
Defining roles and responsibility
Data protection law divides organisations into controllers – organisations directly responsible for the data; and processors – subcontractors who process data on behalf of a controller. But travel is complex, and participants may disagree on their role. The travel buyer, GDS and travel supplier are all directly responsible as controllers for their respective activities. For other players, it’s not so clear; for example, what role does the TMC play?
Given the services TMCs provide and the decisions they make, all TMCs are likely controllers under the law. This is best for clients, too – the TMC is in the best position to design privacy programmes specifically for travel data and to take direct legal responsibility for their compliance.
Recent events have shown little clarity about responsibilities for remedying breaches, particularly when they happen at companies that underpin so much travel data infrastructure. Industries can better define where responsibilities lie by making use of the new emphasis GDPR places on cooperative standards, including industry codes of conduct.
Privacy by design
We talk a lot about traveller-centricity and the consumerisation of business technology. Travel is adopting the big data advances of the consumer technology giants; we should be careful not to adopt their privacy problems, too. When we use big data, when we track location for duty-of-care, or when we put virtual assistants in booking tools, privacy protection must be built in right from the start.
GDPR mandates privacy by design – a long-standing best practice of building privacy into a technology from the outset rather than expecting lawyers to solve it at the end. Travel buyers who work with innovative, data-driven companies need to have confidence that privacy is incorporated into product development from concept to launch. Not only is this the law, it’s also how to build privacy-protective travel technologies.
The new law doesn’t just affect how services are built, but also how they’re communicated to the traveller. Under GDPR, consent must be specific, unbundled from other terms, and revocable – not a mandatory tick box next to a long and legalistic privacy statement. This is going to be one of the biggest challenges of GDPR.
Most travel processes are particularly unsuited to consent. You can’t revoke permission to use your passport number and still expect to fly. Consent has been overused in situations where it’s not appropriate, but structured so that it was never a real consent anyway. Instead, data should only be collected when it’s used for purposes unrelated to the core travel services – like marketing – where it can be meaningfully granted and easily revoked.
Putting the focus on privacy
In travel, as in every industry, there’s a renewed focus on data – the oil of the information economy. All GDPR requires companies to do is build sustainable data practices, respecting fundamental human rights.
The sky isn’t falling – remember GDPR is an evolution, not a revolution. But some companies may not be prepared, especially small- and medium-sized businesses that do not have the personnel or the resources to build a comprehensive privacy programme. Travel buyers should work with companies that have created GDPR-ready programmes tailored to travel, and are willing to take on the direct responsibility as a data controller.
Kasey Chappelle is chief privacy officer for American Express Global Business Travel. She leads the company’s privacy risk management programme. Previously, Chappelle had similar roles at Vodafone Group in London, and Ebay in California. She began her career in regulatory law at Willkie Farr & Gallagher in Washington, DC.