GDPR is coming: how will it impact business travel?
9 May 2018 by Sam Hart
GDPR is regarded as the most significant data privacy regulation in 20 years. Here’s how it will affect our industry.
What is GDPR?
The aim of the General Data Protection Regulation (GDPR) is to protect the data privacy of all EU citizens. In the UK, the Data Protection Act was introduced in 1998, but technology has grown exponentially since then, and the act was never designed with, for example, social media in mind. GDPR will bring UK law up to date and oblige all organisations to take a good look at the data protection processes they have in place.
Why is it so important?
As citizens of the digital world, our data is collected through different technologies and sometimes we are not even aware it is happening. Social media companies, for example, can monitor our location through GPS. GDPR ensures that there will be much more transparency around how our data is collected and used. As we saw in the news in March, Cambridge Analytica allegedly harvested the data of 87 million Facebook users in an attempt to influence the outcome of the 2016 US election. The data was used for another purpose and to sway the behaviour of individuals. Because of its wide-ranging scope, GDPR will help to protect against examples of misuse like this.
How will GDPR impact the travel management industry?
One of the bigger challenges within the industry is how we ensure that personal data continues to flow freely around the world but in a GDPR-compliant way. It may sound obvious, but it is impossible to book travel and hotel services internationally without sharing data internationally. We need an industry-wide approach to personal data transfer and sharing. Capita Travel and Events has been working with the Guild of Travel Management Companies (GTMC) to establish a code of conduct for the industry that will satisfy the Information Commissioner’s Office (ICO) – the UK Government data protection agency that reports directly to Parliament.
What are the key changes that travel managers need to be aware of?
GDPR will increase the rights of individuals. For instance, they can request a copy of the data an organisation holds on them, ask for it to be deleted, and ask to opt out of any automated decision-making processes. This means that organisations controlling and processing data will need to be increasingly conscious of where personal data exists across their supply chains. They must, as far as possible, ensure that data is being adequately protected when transferred and, where a third-party sub-processor is engaged, that equivalent data protection in line with GDPR has been put in place. Also, if sub-processors change or are added at any point, the data controller must be made aware, particularly if this includes a transfer outside of the European Union or European Economic Area.
If an organisation is a data controller and collects data, then its privacy statement must clearly state why it is collecting an individual’s data, what it will be used for, where it will be stored, if it will be shared with another company and how the data can be amended if it is wrong.
How is Capita preparing for the upcoming changes?
We are ensuring that we have the right measures and documentation in place, while exercising our due diligence over customers’ data. We are a data processor in that we act under contract for our clients who are data controllers. Data controllers must now have GDPR contractual clauses in place with their TMCs, so we are revisiting contracts. As a data processor, we are also engaging and working with our partners and third-party processors to check that they are up to date with the new regulation. Everything is interdependent. For example, if someone approached a data controller and asked to be ‘forgotten’, the organisation would need to make sure that the individual’s details were deleted from all systems, including those of partners and sub-processors.
Can you tell us more about the ‘right to be forgotten’?
Individuals will now be able to request companies to delete their personal data. This will be a challenge in the travel management industry, as it is not as simple as removing data from one database. There is a myriad of interconnected systems and the personal elements will need to be removed from all of them.
What other challenges are there for the travel management industry?
There is another challenge around the retention of personal data. Organisations can only retain data for an appropriate length of time, and once it has fulfilled the original purpose for which it was collected, it needs to be deleted. For example, if registration details for a specific event are being collected, those personal details will no longer be required once the event is over and feedback has been provided. It is more complicated in the travel management industry, as business travellers tend to repeat bookings. To enhance the traveller’s experience and improve the quality of our services, we may need to keep some data for an extended period. Nevertheless, we are obliged to do our housekeeping and confirm that data is not held for longer than required.
What happens next?
GDPR will come into force on 25 May, so we will continue working with the GTMC as part of its working group, to bring in an industry-wide approach, which will be tested with the ICO. We are also carrying out training and workshops internally to make all of our teams aware of the new regulation. Everyone needs to be mindful about data and carefully consider the best and most secure method for transferring personal data.
For more information on Capita Travel and Events’ GDPR compliance plans and our efforts to encourage an industry-wide approach to data protection, please contact Sam Hart.
Disclaimer: Please note that this article doesn’t constitute legal advice on GDPR.
Interested? Let’s have a chat about your company’s travel, meetings and events objectives - from the stuff that keeps you awake at night, to the everyday experiences of your employees! Call us on 0330 390 0340, or submit the details below, with an idea of the times that suit you for a call.