The European Union’s General Data Protection Regulation (GDPR) is set to go into effect on May 25, 2018, increasing privacy standards for travelers. The regulation will affect only those companies in the EU or multinational companies who do business in the EU. The GDPR brings with it many changes, but Travel Incorporated is here to help as we comply with the GDPR obligations.
What is the GDPR, and why is it being implemented?
Data protection laws are not new. They have been in place in many countries for years. Data protection laws control the way business collect, share, and use personal data. A traveler’s personal data includes name, photo, email address, bank information, social media posts, and medical information, among other things. The GDPR is an overhaul of the existing EU data protection laws. The Data Protection Directive that the GDPR is replacing was created in 1995. The goals of the directive were to unify data protection laws across all member states of the EU and control how data is transferred outside of the EU member states to “third countries.” Data Protection Authorities were established in each member state to oversee the application of the directive. However, being a directive and not a regulation, the Data Protection Directive was open to interpretation on whether it should be applied and how. The GDPR is a regulation, meaning it is an immediately enforceable law in all member states of the EU, and it is not open to interpretation. Many of the principles are still in place from the original data protection guidelines and directives, but, just like technology has changed (internet and social media) causing a need for increased data security, so the GDPR must also cover more aspects of data security for the traveler’s protection.
What has changed?
The GDPR has a very broad scope, and it affects companies established in the European Union and all companies involved with processing personal data of individuals within the EU, regardless of where the company was established. Some of the main changes to the previous data protection laws include:
- The GDPR is a regulation rather than a directive. This means it must be followed in its entirety by every EU member state.
- Personal data definition is extended to include other bits of information, such as a traveler’s IP address.
- Fines for lack of compliance are increased.
- There are stricter requirements for individual consent, meaning consent cannot be implied, and it is possible for an individual to revoke his consent.
- Mandatory breach notification within 72 hours of an identified data breach. The new Right to Access allows individuals to ask if any data about them is being processed, and
they have a right to receive an electronic copy of what information was asked for, and who asked for it.
- The Right to be Forgotten allows an individual to have his personal data erased and no longer distributed.
If you are considering changes to your global travel program – contact your TI Account Manager for more details regarding the benefits of what a personal approach can mean to a global program.