Przemek Koszka, director of technology at Diversity Travel, outlines some of the things businesses need to consider in the run-up to the implementation of GDPR compliance rules this May
As a hardworking travel industry professional occupied with helping people get from A to B as safely and efficiently as possible, there’s a good chance that assessing best practice for protecting data isn’t always a priority in your day-to-day travel management processes.
However, the enforcement of the EU‘s General Data Protection Regulation (GDPR) on 25 May will certainly put it front and centre of your attention. Whether this is the first or seemingly hundredth time you’ve considered what it means for your business and travel management processes, your teams must be prepared by the deadline or potentially face hefty and reputation-damaging fines.
The Brexit factor
Those thinking they can risk avoiding compliance in the knowledge that GDPR will no longer be relevant to the UK as of March 2019 could be in for a shock. The UK government’s Data Protection Bill is currently making its way through the House of Commons, having already passed through the Lords, and is set to implement GDPR into UK law before we leave the EU.
Going forward, it’s safe to assume that if it’s covered in GDPR, it’s in the Data Protection Bill too. Under the new legislation, the Information Commissioner’s Office will be responsible for enforcing the regulations and issuing sanctions to those whose company data is not properly protected. The highest fines for infringement will be, as outlined in GDPR, at either 4 per cent of a company’s global turnover or €20 million, whichever is higher.
Negotiating the jargon minefield
If you’re even vaguely familiar with GDPR then you’ve likely come across the controller/processor distinction. Of the myriad terms and acronyms associated with the legislation, this is the key pair that you must have a firm grounding in.
If you have a designated travel management company (TMC), or member of staff taking executive responsibility for who can access and process your travel management data, they are likely the controller of this data. However, anyone else external to your organisation who is also party to the data and administering it under your instruction – for example, your financial auditors, marketing agency or IT network host – is a processor.
While controller and processor obligations are extensive and often overlap, it is paramount that regardless of whether the controller or a third party has processed your travel data, a controller must have a record of any processing actions undertaken; failure to keep and be able to produce such records will leave you liable to fines.
Overseeing the process of securing and auditing this data can be delegated to a special company data representative or, formally, data protection officer (DPO). Although it is unlikely that your business or TMC will process enough data to require you to appoint a DPO, it could be perceived as good practice to do so regardless.
Marketing your business travel activity
Obtaining consent to process an individual’s data or use it for marketing purposes is now more difficult. This is the so-called ‘double opt-in’. If you are working with a TMC, they must be clear on exactly what your people have consented to, and on any third parties they may be sharing your data with.
Pre-ticked checkboxes for marketing consent are no longer acceptable practice. Instead, what is expected under GDPR is for consent given via a form – digital or physical – to be followed up by an email requesting further confirmation to receive marketing materials. Finally, it is vital that everyone involved keeps evidence of consent.
Securing a new data protection consensus in the business travel industry
Taking the dive into company data audits and addressing GDPR’s requirements can seem daunting initially. However, the challenge now is to work together and press ahead regardless, if only in the knowledge that each step towards compliance can be a step towards inspiring greater trust in the travel industry.
GDPR presents a one-time opportunity to play an active role in showcasing our industry as receptive to the changing narratives around privacy and personal data. The alternative – to not embrace greater data protection scrutiny as anything other than an inconvenience – would be an act of self-harm.