GDPR Blocking & Tackling

Technically, the European Union’s General Data Protection Regulation became law in 2016. Enforcement will begin May 25, and if the standing-room-only GDPR Masterclass attendance at last month’s Business Travel Show in London was any indicator, travel buyers are under pressure to square their programs with the new regulations.

GDPR replaces the 1995 Data Protection Directive. It defines data rights for EU citizens, wherever they work or engage in commerce around the globe, and it lays out the conditions under which the data of EU citizens can be transferred outside the European Economic Area—the EU plus Iceland, Liechtenstein and Norway—which is a critical component for travel. GDPR requires all companies that interact with EU citizens to inform these individuals about how their personal data is being used, with what other entities their data may be shared and for how long the data is retained. It requires businesses to allow each EU citizen access to his or her data to rectify incorrect information and change permissions on what is shared; it also underscores the “right to be forgotten” and requires that businesses build data privacy and protection into their policies, processes and operations.

Failure to comply will put businesses at risk of incurring heavy fines should regulators determine they are mishandling data and/or willfully failing to report data breaches. Fines top out at 20 million euros or 4 percent of the previous year’s annual revenue, whichever is higher. The U.K. Information Commissioner’s Office, for one, has clarified that GDPR penalties should be levied in individual cases, based on the type of data compromised and the nature of the noncompliance and that GDPR includes a host of remedies, leaving fines as a final recourse.

 GDPR & Travel Management

“Think of the number of touchpoints involved in just one travel itinerary,” said Samantha Simms, a London-based information law attorney and founder of The Information Collective who specializes in GDPR issues and data privacy strategy for large multinational organizations. She rattled off a few: global distribution system, travel management company, online booking tool, payment solution, airline, hotel, car rental company, risk management provider, regulatory entities, rate shopping tools, expense tool, subcontractors for primary vendors, third-party analytics partners, apps like itinerary managers, and sharing economy providers like Uber & Airbnb.

Ensuring GDPR compliance from all those partners rolls up to the travel buyer. “They must determine who is a data controller and who is a data processor in their programs,” said Simms. “Because GDPR defines obligations and liabilities based on those roles, the burning question is whether the travel manager’s company will be the one penalized when something goes wrong,” said Simms.

The data controller is the owner of the data, the entity which defines how the data will be handled by the data processor and with whom that data will be shared. Under GDPR, the data controller is fully liable for damages caused by noncompliant processing unless the controller can prove that it is “not in any way responsible for the event giving rise to the damage,” according to draft guidance on GDPR contracts and liabilities between controllers and processors that the U.K. Information Commissioner’s Office published in September. Data controllers are also responsible for reporting data breaches to appropriate authorities and affected individuals within 72 hours of discovery.

The data processor handles data on behalf of the data owner, or controller, and should handle information only according to the written instructions of the controller. GDPR requires minimum contract terms between the controller and the processor, also referred to as the data processing agreement. These agreements: 

• assure data confidentiality and require documentation of GDPR-compliant data processes
• include written consent from the controller to pass data to a subcontractor, also called a subprocessor
• assure the processor will assist the controller in executing the requirements of GDPR, such as adhering to individual rights requirements to access, correct or delete data and disclosing data breaches to the controller within 72 hours

If the processor acts outside the terms of the written contract, it could be liable for fines. Same for a subprocessor. This is a change from the 1995 legislation, in which controllers were solely liable.

U.K.-based data privacy and cybersecurity firm Covington offers a summary of key GDPR contract and liability on its website.

Digging into Data Protection

Every data processor in the travel program ecosystem requires a risk impact assessment and a data processing agreement. Several major travel partners qualify as data controllers in their own right, easing liability concerns for corporates under GDPR. As with seemingly everything in travel, however, the relationships can get complicated.

Travel suppliers like airlines, hotels and car rental companies are data controllers under GDPR. Travel buyers are not required under the law to nail down these data and liability relationships, not even with preferred partners. Fortunately, transmitting necessary employee data to these partners need not rely on consent from the traveler, as the information is critical to delivering the services that are purchased and in certain instances is required by government entities for regulatory purposes (see Beyond Consent).

Travel management companies are in a murkier position. It’s possible to contract with a TMC as a data processor, according to Radius Travel senior director of information technology and data privacy officer Chris Giordano. However, “the role the TMC takes under GDPR in some ways determines the services they are able to provide. If [a TMC] chooses to be a processor, it could limit what they do as a business,” he said.

Because of this, most TMCs have taken the role of a data controller. “It seems weird for a TMC, which is technically a vendor, to be a data controller,” said American Express Global Business Travel chief privacy officer Kasey Chappelle, but the law allows for co-controller relationships, giving such vendors the same liability obligations as the data owner. “In the normal procurement process, the systems are set up to assume the vendor is a processor, [but] the TMC relationship requires nuance and it has to be looked at from a functional perspective.”

A number of TMC activities put it in the data driver’s seat: policy enforcement, supplier negotiation and program optimization initiatives that TMCs may assume. “Of course, we are a vendor and the corporate calls a certain number of the shots, but we are also directly responsible for calling some of the shots when the data is in our remit,” she said.

Even as a co-controller, Giordano said TMCs need to provide transparency to corporates about data transfer and downstream processors, including global distribution systems, online booking tools, mid-office processors and others. Because TMCs maintain traveler profiles, they could have access to sensitive information like meal preference that reveals ethnicity or health-related issues. Corporates need assurances that traveler profile information is secure and will be handled properly. TMCs also must adhere to breach notification requirements and assist corporates in supporting data rights and access for individual travelers.

Other vendors fall more easily into the data processor category: online booking tools, meeting management tools and expense management systems are good examples. With these, “it’s a matter of methodically going through the list, prioritizing it and going back to basics,” said Simms. “Understand the data inventory flowing to each provider. Make sure you’ve satisfied the transparency requirements about how the data will be used. Define [in the contract] who’s responsible for data privacy and capturing consent if that is required—and how best to capture it.”

Travel’s Embedded Challenges

GDSs could present a particular challenge for travel. It’s a problem because GDS technologies permeate the travel industry, not just for content and ticketing but also as technology partners for TMCs, airlines, hotels and even other technology providers.

As of 2009, GDS providers have handled data according to an EU Code of Conduct adopted by the European Parliament for computerized reservations systems, and they were considered data controllers under the 1995 Data Protection Directive. A recent article in The Company Dime purported the GDS’s role as controller could change under GDPR. The story quoted an unnamed travel tech data privacy official as saying, “No one really knows, and no one will know until there is enforcement action” under the new regulation. That might not take long.

GDSs facilitated about 60 percent of the 1 billion air tickets purchased in 2015, but they’ve proved to be a weak security link in the travel technology chain. High-profile security breaches at Sabre and Sabre Hospitality Solutions in the past three years have called attention to the issue, as did a late 2016 hackers convention, Chaos Communication Congress, that showed how easy it is to access passenger name record information and that it’s the key to unlocking personal information on travelers in all the major GDS systems. If GDS providers are not considered controllers under GDPR, it could unleash a cascade of issues for partners.

At least for travel buyers, and likely for other partners, Simms is confident that the GDS’s controller role will stay put under GDPR, though she admits it’s complicated because of the number of services and technologies they provide to the industry. “The GDS sits at the heart of the travel ecosystem,” she said, then posed a rhetorical question: “Can we as parties that sit outside that position expect to define how and why the GDS is using data?” 

Rather, Simms believes GDPR offers the industry an opportunity to flip that question. “What we should be looking at, if the GDS is a controller, is why other booking repositories are not,” she said. “Any repository that performs by a factual analysis as a GDS—if you are doing the same thing but with hotel or rail or different content—I would think we should consider a controller. [And] if they are breached, should it not be their responsibility under the GDPR to take necessary actions as a controller rather than reporting back to the large number of subscribers? To date, we haven’t taken a good look underneath the bonnet of data flows within travel. GDPR allows us to take a much closer and detailed look.”