Data protection and privacy have been a big deal for a long time in the data-intensive travel industry. With new regulations set to take effect — covering all European citizens and companies doing business in Europe — there are many new questions about who is impacted and how to comply. Tom Tulloch, executive vice president and managing director in North America for data firm PredictX, provides some clarity and advice on how to proceed.

The deadline for complying with the European Union’s General Data Protection Regulation is May 25. That’s when we will see the biggest changes to data privacy regulations since the Data Protection Directive of 1995. New rules and regulations surrounding data privacy and protection will be enforced for anybody based in Europe handling personal data as well as any entity handling personal data of a European citizen. Companies misusing personal data may face fines of up to 20 million euros or 4 percent of annual global turnover.

The fines associated with non-compliance are raising eyebrows and bringing up a new dilemma for the travel industry. GDPR places a huge emphasis on the privacy rights of the individual whose personal information is shared — the data subject. Companies need permission to access all non-essential personal information and must grant notice if the information is being transferred to any other party. Obligated to protect the rights of each individual traveler and their personal data, travel managers should take measures by actively engaging their IT and legal departments.

PredictX North America EVP and managing director Tom Tulloch
PredictX North America EVP and managing director Tom Tulloch

In relation to GDPR, the business travel industry has yet to define a code of conduct. This is odd as business travel, arguably, has the most complex supply chain in existence. A traveler could not complete a business trip or even board an airplane without sharing at least some personal information. Credit card details, names, email addresses, dates of birth and passport information are processed through multiple intermediaries including point-of-sale systems, GDSs, CRSs, credit card processors, TMC back-office systems and expense management systems. The rapid adoption of mobile travel applications has made sharing of data and information widespread.

Stricter rules and regulations around handling data breaches are also a big part of GDPR. Not a week goes by without headlines highlighting a new data breach. No company is immune. GDPR also contains a strict set of requirements for the breaching party, including time restrictions around informing people who may have been impacted. Additional damage control obligations may also apply.


Most travel managers don’t have the resources to manage this themselves. Unfortunately they still need to ensure their supply chains are compliant with GDPR. If suppliers can prove they have data protection framework certifications in place, such as ISO certification and PCI compliance, and follow best practice guidelines, they will most likely meet the minimum privacy and security standards. If the data processed is of a high risk to individuals’ interests, they need to carry out Data Protection Impact Assessments. IT and legal departments are chief allies. Together, you can ensure that precautions are in place within the guidelines for GDPR in case any compromise or breach occurs.

If an entity handles private data and has more than 250 employees, it must appoint a certified Data Protection Officer trained to know the ins and outs of GDPR regulations. The DPO ensures all company departments are compliant. Check the parties in your supply chain to see if they have appointed DPOs. In addition, use your IT department to audit your suppliers and systems to identify any holes in data privacy policies. These should include:

● Point of sale applications
● Travel management companies
● Global distribution systems
● Corporate credit card issuers
● Expense management firms
● Data consolidators
● Meetings and events solutions
● Any other supplier handling personally identifiable information

Data Controllers And Processors?

There are two important roles involved in GDPR: the data controller and the data processor. Travel managers handle traveler data. As a result, they are entrusted with the title of data controller. Members of a supply chain may be controllers or processors, depending on how they share the data. Data controllers are directly responsible for the data, determining the purpose and means for how the data is shared or accessed.

Data processors are engaged by a data controller to assist with a particular process requiring personal information. GDPR is putting greater emphasis on the processor’s responsibilities. A processor has access to information and must outline how it will use it.

All parties need to give clear permission for data to be handled by another party. For example, a hotel booking system (a data controller) passes personal information to the hotel administration (a data processor) for payment processing and booking confirmation. Except for air travel purposes, the data subject must grant permission to perform this action. This process can, for example, manifest itself as consent forms or opt-ins that pop up on your smartphone when downloading a new travel app. Few travelers ever read the terms and conditions; however, in those cases, a user must accept them before they use the app. Unless you have full management and control over your employees’ smartphone apps, it is impossible to know, let alone audit, all travel apps your employees use.

Issues Of Consent

Personal data is vital to the function of the travel process. Travelers cannot withhold identity information, like passports or ID cards before flying, regardless of their rights spelled out by GDPR. We do, however, need to inform travelers how their data will be processed and ensure that no misuse happens across any channels. Anything that is not necessary to the function of travel, like marketing campaigns from suppliers, requires permission from the Data Controller before any information is handed over. Consent needs to be presented in a concise way with opportunities to either opt in or opt out. Those who choose not to opt in should not have their silence mistaken as permission.

Missing The Deadline

Not every company will have completed the audits of their entire supply chain by May 25. However, if you can prove that you have taken reasonable efforts to ensure your suppliers are compliant with the new regulations you should be in good shape.

After we gather our resources and double-check our supply chain, we will be waiting with baited breath to see who becomes the first target of a GDPR audit.

In any case, the key takeaway is that the travel industry needs some form of guidance. We need to ensure each of us is doing our best to protect personal data before facing hefty fines and front-page news stories. Proactive prevention is 10 times better than last-minute damage control.

Leave a Reply