For most organizations, it’s business as usual after Europe’s new privacy measures embodied in the General Data Protection Regulation (GDPR) came into effect on May 25. That is largely because of the efforts of the major travel suppliers and industry associations.
While the new data security and privacy requirements are aimed at protecting European Union citizens, they also cover non-European organizations that offer goods or services to — or monitor the behavior of — European Union citizens.
So, non-European Union corporations with operations or staff in the European Union fall under the regulation for their European residents’ data, potentially impacting on global travel programs.
GDPR also applies to all companies processing and holding the personal data of subjects residing in the European Union, regardless of the company’s location.
The new requirements can be significant for travel managers, who keep large amounts of traveler data such as health status, dietary requirements and travel preferences, and share much of that with travel management companies, airlines, hotels and security providers.
American Express Global Business Travel started to build GDPR-compliance and Privacy by Design principles into its programs, products, and services more than two years ago to ensure GDPR readiness, according to Michael Savicki, vice president of compliance and risk for the Americas.
American Express Global Business Travel and other major travel management companies operate as “data controllers” and are directly responsible for compliance with GDPR.
Meanwhile, downstream suppliers may be classed as “processors” (those who process data only on the explicit instruction of a controller) and have limited liability.
“The travel buyer, GDS, and travel supplier are all by law directly responsible as controllers and for their individual GDPR compliance,” Savicki explained. “Procurement and compliance departments may be unaware of the complexity with travel data and the many necessary players within the traveler ecosystem. Travel managers need to educate internal stakeholders, explain how a travel program is different and guide workable compliance solutions.”
UK-based corporate travel consultant Chris Pouney believes most travel management companies have ticked all the boxes to ensure their own compliance with the new requirements. “I do worry though about smaller operators, particularly TMCs outside the EU working with global companies. In theory, this should provide further incentive for global travel buyers to mandate the use of (a single global TMC) or a reduced number of TMC suppliers to support their global requirements.”
According to Pouney, companies should have nothing to fear from GDPR. “This is just enshrining in law what is recognized as good practice and most reputable companies have (or at least should have) been doing most of the requirements and more anyway. This is particularly true of those companies who have invested in International accreditation such as ISO27001.”
The new requirements are extremely onerous for the multinational technology and solutions providers headquartered in Europe and handling data for global clients in their European jurisdictions.
Amadeus, for example, has engaged in the same way with customers both inside and outside Europe regarding GDPR.
“As a legal entity located in Spain and therefore within the EU, Amadeus is subject to the GDPR, both as a Data Controller for the GDS and as a Data Processor for IT Services,” a spokesperson told Skift. “Amadeus has used its experience of complying with EU data protection legislation where the concepts have been similar to those under the GDPR to help our clients – both EU and non-EU – understand the requirements imposed by the GDPR.”
Similarly, business travel payment solutions provider AirPlus, headquartered in Neu-Isenburg, Germany, sees data protection for both EU and non-EU customers as one of its strongest assets.
“Therefore, no significant or fundamental changes to our processes are necessary, as we have also complied with previous data protection regulations,” it said in a statement.
Nonetheless, AirPlus has modified its internal processes to accommodate the new “information obligations, information rights and other rights of those affected”.
GDPR AS AN OPPORTUNITY
Most in the corporate travel supply chain have urged clients to use GDPR as a chance to update and improve their systems and processes.
“We view GDPR as an excellent opportunity to discuss our broader privacy program and controls. We have invested a considerable amount of time discussing both our GDPR readiness and broader compliance programs with our clients to make sure that the proper dialogue was set in motion well in advance of the May 25th deadline,” Savicki said.
Those discussions resulted in “a very productive engagement with our clients on critical privacy issues surrounding business travel, including the use of data, storing it securely and deleting it when it’s no longer necessary”.
“The essence of GDPR is to change mindsets, to ensure that data privacy is at the heart of your business, and data is only used for what it was intended for, is not kept for longer than necessary and is destroyed appropriately,” said Pouney.
There is a strong belief that GDPR, which already reflects legislation in other jurisdictions, will become an international benchmark.
“Don’t ignore the changes. This very well could be the wave of the future, not just for Europe, but more broadly,” said Jessica Collison, director of research at the Global Business Travel Association.
INFRINGEMENTS FACE STIFF PENALTIES
While much of the focus has been on travel management companies, Savicki warned that organizations need to understand the different channels travel data passes through, whether through airlines, ground transportation, or hotels. They should also be aware of what those travel suppliers are doing to comply with the GDPR.
According to the EU, organizations can be fined up to 4 percent of annual global turnover or $23 million (EUR20 million) for breaching GDPR. This is the maximum fine that can be imposed for the most serious infringements; for example, not having sufficient customer consent to process data.
But Pouney is advising clients that prosecutions, especially in these early days, are very unlikely. “Companies that are trying to do the right thing but just make a mistake or two are going to be offered more education and guidance to get it right. For you to end up being prosecuted, you will need to show complete contempt for the law and, regardless of the potential fines, no company can risk the reputational damage of that,” he said.
Looking longer term, there is an expectation that the privacy protection embodied in GDPR will become the norm globally, so travel managers need to adapt.