Guest column: Have you got the key to data security?

Ali Hussain, chief innovation and technology officer at ATPI Group, discusses the steps travel managers need to take to ensure their programme is data security compliant

The need to ‘keep information secure’ is well recognised but often this is easier said than done. Despite the many articles about what General Data Protection Regulation (GDPR) imposes on travel management companies, it is worth a review of the key considerations and steps you should take if you are a travel manager looking to appoint a TMC. In particular, what are the areas to address and what questions should you ask in the RFP process? In short, how can you safeguard your and your company’s data in a digital world?

How can you manage consent?
First and foremost, for staff who travel it is important that you have consent to pass on their data to your TMC – after all, it is details such as name, passport number, email address and date of birth that form the basis of the booking.

GDPR spells out clearly that individuals have a right to access and change that data whenever they want. Typically, travellers would do this through their employer, since they are the data controller with the TMC. But bear in mind travellers may well want to see that the data TMCs have gathered about them over time is correct – such as personal preferences and loyalty scheme membership.

That means being able to access information simply and, if it is to be stored, it is in an easily accessible and readable format. This is a big GDPR practice change, since having the ability to download information in Excel or csv format is handy, but it also means that information can be easily copied if the correct security protocols are not in place.

To keep things simple, TMCs might have special privacy sections in user account settings, which allow travellers to opt in and out of how data is gathered, stored, transferred and used. It is important that this process is efficient – no client wants the management of data and compliance to get in the way of their core business.

How do you address concerns around how traveller data will be shared?
Travel companies fall right in the sweet spot for regulators, since they handle the data from customers and pass it on to third parties. Massive data exchange via APIs is common practice, so it is incumbent on TMCs to have updated contracts in place with all the suppliers they use that contain specific provision about protection of individual rights. TMCs should understand how their partners use and process information, how it is protected, and how it can be deleted. And remember, this requirement is worldwide for EU citizens so it might mean thinking twice about using ‘less aware’ suppliers in out-of-the-way destinations, for example, using smaller hotels/accommodation in remote locations.

TMCs operate in a highly regulated market and certainly those TMCs with a global footprint are expected to have the tools and capabilities to meet global standards for data management. Having the correct measures in place to tackle cyber security is an important box to tick in this context. Without them the damage to company reputation, loss of revenues and inevitable regulatory fines can be catastrophic. All the GDPR headlines tend to focus on data breaches, since this is where the big – and potentially ruinous – fines come in.

Ask how TMCs are reducing the cyber-security threat. You should expect anti-virus software, firewalls, multi-level encryption and separate back-up servers as a matter of course. Travel managers should ask how these back-up copies are kept separate and secure too.

In order to prepare for the worst case scenario, it’s worth asking your TMC what measures are in place should a data breach occur – how they plan for handling crises is a useful indicator of how switched on they are.

How do you know if your TMC will continue to protect your data in the future?
Businesses might think that now the GDPR deadline has passed that they can’t be seen to be asking for help. This is incorrect.

In fact, the Information Commissioner’s Office (ICO) – the body enforcing the rules for the UK – has come out and said it wants businesses to treat GDPR as an on-going process. Like all other companies, TMCs are being encouraged to focus on education of their staff, with the ICO stressing it wants to offer support and guidance rather than punish organisations through enforcement action.

TMCs should ensure they have regular GDPR audits to cleanse data, as well as formalised GDPR refresher training for staff – something the ICO has pledged to take into account if any data breaches occur. Data compliance is an ongoing process and as well as regular audits other areas to maintain it can also include reviews of policy documents and investigations into your own in-house logs and monitoring.

Similarly, look to see how your prospective TMC deals with regulatory bodies across the security industry. ATPI, for example, is a participating organisation for the PCI Security Standards Council, which means it helps offer insight in the payment security field. ATPI also conducts regular third party cyber security and vulnerability tests to help strengthen our network and data.  

As many companies continue to deal with the impact of GDPR legislation, for any buyer it is important to remember that when appointing a TMC they are also taking on the role of consultant. A key part of this is to advise on and provide a framework for data compliance so that from a data point of view your travel programmes are as safe as possible, with a well-rounded approach on security, compliance and operational efficiency.

For more information, visit

Subscribe to the BBT Newsletter

Join the Buying Business Travel newsletter for the latest business travel news.

Thank you for signing up!