Data protection: Prepare for privacy

A new data regulation launches next year that will protect individual freedoms while shaking up the travel industry, says Nick Easen

There’s one date that travel buyers should be aware of and that’s May 25 next year, which is when landmark legislation, the General Data Protection Regulation (GDPR), comes into force. Despite Brexit, it could shake the world of data privacy in the travel industry to its core.

It won’t be long now before business travellers across Europe have a fistful of new rights, including the right to have personal data deleted, fresh access rights, new civil liberties around data portability and consent, as well as the right to be informed of data breaches quickly.

The passport, personal details, preferences and sensitive data that are held by airlines, hotels, travel management companies, online travel agents, loyalty programmes – basically anyone in the supply chain who handles our information – will be profoundly affected.

“While there were existing data protection directives and regulations in the past, the GDPR brings a much-needed refresh to the requirements to bring power and control of personal data back to the individual,” explains Paul Prior, managing director of the performance analytics practice at FTI Consulting.

This follows a trend occurring around the globe. There’s now increasing demand worldwide that organisations understand and mitigate the risks when they handle our personal data. This new EU law goes beyond the UK’s Data Protection Act and brings digital-age law and order to the wilds of data use.

“Business travellers will be able to govern how their information is used, to ask questions and take action if they think an organisation is not dealing with data properly,” says Simon Bunce, director of legal affairs at the Association of British Travel Agents (ABTA). 

If you want an airline to forget that you like chicken or fish or a ground carrier to erase your address for pick up, or a hotel to delete their loyalty data, you will have that right. You will also have the ability to know what data is held and who holds it. Since travel managers handle this data they may have to act on a traveller’s behalf.

This piece of legislation is already generating debate across the UK and beyond, since it demands higher levels of security and compliance. The reason for this is that GDPR has teeth; break the law and your company could face a maximum fine of up to 220 million or 4 per cent of global turnover, whichever’s greater. The potential fine is so high now that it can’t be ignored.

For instance, in March Flybe was fined £70,000 for sending over three million marketing emails. “The company deliberately contacted people who had already opted out of emails from them,” explains Steve Eckersley, head of enforcement at the Information Commissioner’s Office (ICO). “Sending emails to determine whether people want to receive marketing without the right consent, is still marketing and it is against the law.”

Under the new rules from Brussels, companies like Flybe could be fined millions of pounds. The airline will certainly have to review how it obtains customer consent when GDPR comes into force. The law is also aimed at promoting trust, since only one in four UK adults trust businesses with their data, according to a survey by the ICO.

More importantly, data protection issues are fast becoming reputation issues. Investors have started punishing companies for security breaches. According to a study by Oxford Economics, a firm listed on the FTSE 100 becomes worse off by roughly £120 million in the wake of a breach, while share prices fall by an average of 1.8 per cent. British Airways’ recent IT debacle and data dropout is not without consequences either.

In data we trust

The GDPR is also wide-ranging. It has an extra-territorial effect. If your travellers’ data is sitting on a US server, which a lot is, then this will have to comply with this EU legislation. If an airline in China is holding data from a British executive they also must fall into line. Basically, anyone who handles information – processors, collators and collectors – from EU citizens will have to oblige.

“Many organisations find themselves overwhelmed, GDPR drives a data strategy which asks organisations to consider the right data, the right context and to do so in a way that is ethical, compliant and safeguards personal data as a fundamental human right,” explains Prior.

So, when asked about preparation for GDPR many companies and organisations gave stock answers, saying they are taking the legislation very seriously. Travel buyers will have to know what data they hold about their executive travellers, why they’re holding it and what they’re using the data for. The same applies to suppliers.

This creates issues for those companies in the supply chain that are increasingly trying to build up a detailed picture of their clients, customise loyalty and marketing directly to them. GDPR will force many travel companies to rethink their strategies or at least ask for greater consent from executives.

“The significant aspect is the ‘profiling’ regulation, which could mean issues for those TMCs who are banking on collecting a lot of data to personalise services,” explains Antoine Boatwright, chief information officer at Hillgate Travel.

Getting started

First, GDPR means that organisations need to get started with their preparations if they’ve not already done so. The UK government has made it clear that it intends to implement this European legislation in full, irrespective of Brexit, in a bid to pre-empt a global trend towards greater data transparency and accountability.

“The strengthening and unification of data protection regulations such as this should help to drive universal standards across geographies,” states Philip Jeffs, compliance officer at ATPI. “We expect that over time it would create a much more robust and secure travel service value chain for corporates, travellers and service providers.”

Yet many companies are unsure about what they need to be doing to prepare for GDPR. There’s a myriad of surveys showing how unprepared companies are. The practical scope and potential implication for this legislation are also still in debate involving regulators, trade bodies and privacy lawyers.

The Institute of Travel Management (ITM) says it is in the process of speaking with its members and Industry Affairs Group to establish their position on GDPR.  Greeley Koch, executive director of the Association of Corporate Travel Executives (ACTE), says:

“We’re reaching out to the ACTE community to better understand how the GDPR is directly affecting them and the steps they’re taking to implement it, as well as provide a platform for suppliers and travel executives to share dialogue, knowledge and best practices in a complicated international regulatory environment.”

The task is not to be underestimated. At least 75,000 new data protection officers (DPOs) will be needed worldwide in the coming years in response to this EU law, according to the International Association of Privacy Professionals. In total, 28,000 DPOs will be needed in Europe and the US alone.

It is increasingly apparent that GDPR compliance needs a holistic and integrated approach. This involves many stakeholders, processes and technology, all of which need to talk to one another. One travel manager said that they thought it was not their issue but that of their IT department. But this is not the case.

Travel managers and suppliers, IT, privacy, digital protection officers, the board, business and security professionals must all get involved and take a proactive approach if companies are to be compliant. Certainly, people need to act less in silos and realise everyone has a vested interest to make information governance work. In many ways, who owns the issue is the issue – and with this new legislation, it is everyone.

“I think that GDPR, although costly and onerous, will definitely increase the seriousness with which data is handled,” says Boatwright. “I believe that as this legislation settles, a market will grow around it to provide tools to make dealing with it easier and more accessible.”

There’s no doubt that the business of data will never be the same again and now the clock is ticking down to May next year.

The issues that GDPR raises:

  • Many travel managers and suppliers sit at the centre of a complex eco-system of information that raises questions about data protection at every single node in the data space.
  • This is not a box-ticking exercise, it’s about a whole cultural shift within an organisation in terms of the respect for people’s data.
  • The legislation will affect all those parties handling data; everyone is responsible, from the collectors to the processors.
  • This is like no other piece of legislation previously.
  • GDPR it just one data law; more will be coming down the line, particularly from other territories beyond the EU.
  • Data integrity and information governance is everyone’s issue, not just that of the IT department.

Q&A with ABTA on GDPR

BBT spoke with Simon Bunce, director of legal affairs at the Association of British Travel Agents about this new regulation.

What issues does GDPR raise for the managed travel sector?  
We can expect everyone to demand higher levels of security and compliance following the introduction of the law and any perceived weakness in this area will damage trust. The biggest priority now is having a good awareness of this EU regulation and having the organisational capacity to start making changes in time for its introduction in May next year.

What is involved exactly?
We are directing people to the ICO’s 12 steps to take guidance document. We’re raising awareness about the data that organisations hold and why they have it; how they protect it; how long they hold it for; and what they tell the data subjects about the data they hold.

What do the changes mean for business travellers and their data?
The ICO has referred to ‘surprise minimisation’ as being watchwords for companies that deal with personal data – people should not be surprised that you have their data or how you use that data. These are good principles for companies to adopt and they require all parts of the business to have a deep understanding of why data is held and how it can be used. 

What are the consequences of GDPR as a law in terms of trust and accountability?
You need to have confidence that data is held securely and used only for the purposes necessary for the agreed services. This will be increasingly important to all business customers. The wider picture of GDPR is reassuring customers to trust your brand; If data protection and security is handled badly, it can be very damaging to a brand.

Everyone in the travel supply chain will have a higher risk profile. How can this be managed?
The contracts that sit behind the travel supply chain will need to be reviewed to ensure that they provide sufficient protection for the data that passes along that chain. Having effective contractual controls, as well as monitoring processes to ensure compliance will be a necessary part of travel contracting.

Subscribe to the BBT Newsletter

Join the Buying Business Travel newsletter for the latest business travel news.

Thank you for signing up!