Buyers need to consider how GDPR will affect the management of traveller profiles
Anne Barlow works for a financial institution in London as head of EMEA travel operations. She has been working for the company for 22 years managing a variety of services and has spent the past ten years in the travel department.
“We have around 14,000 travellers, and profiles are managed regionally,” she explains. “In EMEA, we take their first name, last name, passport number, any frequent flyer cards and encourage them – although they need little encouragement – to add an emergency travel contact number to their profiles, which transfer to our traveller tracking tools.
“Details such as medical history, any medication they are taking, home address and next of kin are held separately by HR. If there was a medical incident, for example, that would be picked up by HR and their line management. For high-risk countries, we have additional security measures directly with our travellers and security services.”
Here are Barlow’s thoughts on managing travellers’ data.
1 We need a traveller’s home address in the car booking tool, so that they can click one button for pick-up from home and transfer to the airport, rather than re-keying information every time. We are covered from a GDPR [General Data Protection Regulation] perspective because there will be a front page that says to users: do you accept your details are kept here for this purpose? This is clearly required for car bookings or the traveller would have problems being picked up from home and will have to type it in for each booking. The car and taxi booking tool supplier Encompass has been very proactive in relation to GDPR, making sure they are compliant and getting the right messages in the tool.
2 If you move to bring your own device (BYOD), as we are, you need travellers’ personal mobile numbers. If the traveller declines this request, we will document this, so if there was an incident then the line manager would understand why we could not make contact by phone (we would, of course, send emails). Most people are happy to give their personal mobile number for travel use but do not necessarily want it in the office system where people could use it in and out of hours.
3 We ask travellers or travel arrangers to update profiles and run regular checks to delete details of leavers. We clean other information as well, so if somebody’s company American Express card is in their profile but they have not used it, we tell them we are closing it down but they can always reapply for it – that reduces our level of risk. We send regular reminders to ask people to keep their profile up to date, and do a monthly sweep of profiles to highlight missing mobile numbers so that we can remind people that we do not have an emergency number for them. We give a few reasons why we need it – traveller tracking, duty-of-care and the ability to provide support in the event of any travel disruption. In addition, after an incident, we often send an email to remind travellers how important it is that we can get hold of them during a future incident.
4 GDPR means companies have to get fresh consent to use personal data, which will have to be collected according to the GDPR requirements. This will not have a big effect in terms of collecting the information, if the traveller already provides it, although we will need fresh consent. We are not communicating with our travellers about this yet, but I think things will change when we hear from the company about its policy regarding vendors – and not just from a travel perspective; for example, people load their card details for payment in our vending machines, sending off personal mail, etc. We are waiting to hear from our risk team so that we can deal with it all in one communication. Our legal team is working closely with the Group Data Protection Programme to ensure that the bank’s entities comply with GDPR. We are also working with our vendors to ensure they are complying.
5 We are rolling out a new online booking tool so people will have to rebuild their profiles as they go into the tool. We will make sure we have the correct GDPR messages, correct mobile number, etc. It is a good exercise to have to update everything and, as much as it’s a pain for some travellers, it is really good due diligence. The process using the new tool is also easier as it is more user-friendly. The details will be downloaded from HR and additional detail can then be added, if necessary.