Business travel put to the test by GDPR
In May 2018, GDPR (General Data Protection Regulation) came into force, obliging companies to take measures to ensure data confidentiality. Two years later, both in the travel business and elsewhere, compliance with requirements remains precarious and procedures are not well understood.
GDPR – an overarching legal framework that’s still overlooked
The failure to protect the personal information of customers or employees can lead to severe penalties: up to €20 million or 4% of company turnover. If GDPR was applied to the letter, only 10% of websites would actually comply. Only half of the players in the hotel industry would be able to respond to requests to provide personal data within one month.
Companies subject to heavy fines
A major airline learned the hard way that negligence can be costly. In 2019, it was sentenced to a penalty of €200 million for security incidents involving 500,000 users, payment card data and other travel data. The authorities judged that the company had had ample time and means to carry out upstream safety audits that could have avoided this situation.
A large hotel group was also fined €110 million for a similar reason. In 2020, sanctions will increase due to the firm determination to make all companies understand that travel data is not trivial.
Neglect is the core issue
The importance of personal information remains underestimated. Travel data, for example, is much more sensitive than it seems: from the simple composition of a meal, we can deduce the religion of an employee or certain characteristics related to his or her health.
Organizing good practices
Several actions are indispensable for the proper functioning of a system:
- identify and audit data processing operations
- assess the risks related to any confidentiality breach and analyze their impact in high risk cases
- designate a compliance lead and make all stakeholders accountable
- safeguard the organization of data on a technical level
- constantly monitor the rights of individuals
- document all actions in order to foresee possible checks by the authorities