GDPR Is Almost Here. Is Your Travel Program Ready?

GDPR goes into full effect on May 25, 2018. Learn more about how to get your corporate travel program ready for the new EU data regulations and how to protect your organization's data.

When traveling today, digital security is virtually as important as personal safety. Employees on the road are faced with various risks, as the corporate data they have access to can be targeted by pickpockets or malicious data thieves. However, data protection isn’t always about preventing criminals from stealing information. Sometimes it’s about updating policies and procedures to remain compliant with new regulations, like the European Union’s General Data Protection Regulation (GDPR).

Complying with GDPR

Tomorrow, on May 25th, data protection in the EU will get even more stringent, as all 204 detailed pages of the General Data Protection Regulation come into full effect. These new regulations impact all member states of the EU as well as any American companies that handle data concerning EU citizens.

The GDPR protects any personally identifiable information, and the types of data this regulation applies to are broad. Anything from IP addresses to biometric information is considered fair game. As GDPR enforcement begins, organizations that fail to protect customer information from breaches could face serious fines. Those found to be in noncompliance regarding their legal justification for processing data could be fined up to 20 million euros or 4 percent of global gross revenue from the previous year, whichever is greater. 

GDRP noncompliance could cost you 20M euros or 4% of your gross revenue

If your organization has EU citizens who travel for business, your corporate travel policy must account for these changes. A strategic approach to information security focuses on updating company policies and regulations to address evolving privacy concerns.

Addressing Business Travel Concerns

An effective travel program depends on an interconnected web of suppliers, vendors and technology. All along this web are touchpoints where data concerning individuals must be transferred from one party to another. Under GDPR, businesses need a thorough understanding of who is responsible for what data moving between partners, where that data resides at any given moment and how they will manage the disposal of that data when such a time comes.

There are several initial steps you can take to prepare your travel program for the new data protection regulations. At first, it might seem overwhelming to make sure that all of your travel partners are GDPR compliant. This is where you should rely on your TMC. You can leverage their expertise and work with them on:

  • Identifying who is a data controller and who is a data processor since data protection obligations and accountability differ based on the role. The data controller is the entity that defines how the data is used, and the data processor is the entity that processes the data based on the directions of the data controller. Start with your TMC and find out what role they are assuming under GDPR. For example, Direct Travel has recently issued a GDPR Privacy Statement explaining our role to our customers. Besides the TMC, there are multiple obvious touchpoints that personal information passes through during the reservation process like online booking tools, travel suppliers, and expense solutions. Your TMC will help you identify and appropriately categorize other vendors that are not as obvious but are still critical to the travel reservation cycle.
  • Understanding data flows and making sure your organization’s legal counsel is satisfied with the procedures in place. If you are not sure about something, ask your TMC to explain how the data is being used. You should be aware of the transparency requirements to ensure that contracts and policies reflect proper documentation regarding data transfers and confidentiality.
  • Confirming that all data processing agreements between the data controllers and processors are up to date and meet the requirements of the new regulations. Data processors who are involved in your travel program need to have a risk impact assessment and a data processing agreement.

There are a lot of other aspects of GDPR that might affect your travel program, especially when it comes to the rights of the data subjects, which in this case are your travelers. European organizations have had two years to prepare for the changes. If your organization is still in the process of figuring out the new regulation, contact the travel management experts at Direct Travel to learn more about how to build a travel program that protects your organization’s data. 

Related Resources

Corporate travelers can reference this post for the latest information on international travel updates, including ETA, EES, and ETIAS.
From open tech platforms to the evolution of TMCs, here are highlights from Steve Singh’s conversation on the Travel Again podcast.
How to create a sustainable travel policy, integrate sustainability into purchasing decisions, and educate travelers about greener business travel.