Personal data makes business travel
possible. It can also make business travel smarter and faster. Data, handled
effectively and appropriately, can bring down costs, increase compliance with
laws and policies and keep travelers happy and safe. The European Union’s
General Data Protection Regulation, coming into force this May, aims to update
how personal data is handled and shared. It has a broader scope than the law it
replaces, so any company handling EU data must pay close attention to this
shift.
Travel is complicated, and business
travel involves high-risk data. A travel transaction isn’t a simple data flow.
It involves many different entities located around the world. Business travel
is increasingly driven by data-powered consumer technologies that can cause
privacy problems if they are not handled carefully.
Data Awareness Will Lead to
Opportunities: Smart companies are treating GDPR compliance as an opportunity
rather than a risk. Here’s one example: The law requires companies to maintain
a record of data-processing activities. Some companies will have a compliance
analyst update a spreadsheet as business processes change. Others will take
this opportunity to create a data inventory, forming the basis of a
data-governance program that meets GDPR obligations but also furthers business
goals for data quality and accuracy. That will reduce errors and power better
client and traveler services. In 2018, as GDPR forces companies to become more
rigorous about charting and monitoring their data, it will drive better
business practices and even new opportunities.
Dialogue Will Create Clarity: Data
protection law divides organizations into controllers and processors. The
former are directly responsible for data; the latter process data only on the
explicit instruction of a controller. The travel buyer, global distribution
system and travel supplier by law are controllers. Travel management companies
take differing positions, but most provide services complex enough to qualify
as a data controller and they will offer controller compliance to clients.
Those TMCs take on the responsibility—and the liability—of data protection compliance.
That can lift the GDPR burden from travel managers significantly.
Still, travel managers need to educate
internal stakeholders like procurement and compliance departments that travel
programs are different. They may already have had to explain to their lawyers
why a contract can’t be—and doesn’t need to be—executed with every potential
hotel, airline and ground transport company around the world. This task can be
made easier through industry dialogue and standardization. Travel industry
associations have started to share explanations of complex data protection
issues specific to travel, such as proper treatment of meal preferences and
disability assistance requests, and legal analysis of international travel
booking transfers. Further, they can align on technology solutions and sponsor
industry codes of conduct to simplify compliance and ensure data is protected
across the travel transaction.
Breach Notifications Will Drive
Security Practices: Cybercriminals increasingly target vulnerabilities in the
travel ecosystem. Travel companies must pay close attention to how they secure
the valuable data they handle. GDPR doesn’t change that; it does, however,
impose new obligations on companies that experience breaches. Breach
notification laws, active in the U.S. and a few other countries, have forced
companies to pay closer attention to security programs and their responsibility
to the public when breaches are uncovered. GDPR will have a similar effect for
EU citizens. Breach announcements will increase dramatically in 2018, and
companies will be forced to improve their incident response times and formalize
their protocols.