GDPR: a climate of mistrust?
Between CNIL, the French Data Protection Authority (which is particularly vigilant regarding compliance with the new European regulations), and users who are very quick to file complaints, the processing of personal data is subject to significant precautionary measures; especially as technological innovations in business travel have increased the amount of personal data in circulation, thus reinforcing a complex and interconnected T&E ecosystem.
A few months after the implementation of GDPR (General Data Protection Regulation) within the European Union, the initial results are surprising. We should remember that the application of GDPR also applies to non-European companies, should they process data from European individuals (e.g. Google, Amazon). Over the one hundred days following the implementation of this system on 25 May 2018, CNIL noted a significant increase in the number of complaints. Over the last 3 months, it has received no less than 2,770 complaints compared with 1,780 over the same period the previous year. This represents an increase of 56%. As the business travel sector essentially involves processing a large amount of personal data, companies must therefore take maximum precautions with regards to how technological solutions are deployed.
According to a study by NetApp/Opinion Matters, 51% of global companies surveyed believe that GDPR is likely to damage their reputation. A recent survey conducted by the publisher Veritas had already pointed out that 39% of French consumers were considering asserting their rights regarding data confidentiality within 6 months of the European Regulation coming into effect, signalling a climate of mistrust that cannot be ignored.
Particular vigilance must, therefore, be observed when processing business travellers’ data internally, to ensure transparency. Their profiles contain a lot of personal information such as phone numbers, preferences, accommodation, emergency contacts or even meetings with contacts. Most personal information is entered by users into T&E solutions and transferred to travel agencies, booking systems, etc. Today, new booking channels offering innovative solutions are emerging from the collaborative economy. Travellers’ data is subject to a number of transfers due to the personalised and custom-made services that these associated tools provide, as well as the large number of interconnected participants and technological solutions involved. The business traveller must be informed of these conditions, as well as of their rights, and the recourse available to them with regards to the processing of their data.
As a reminder, in the event of non-compliance with the rules laid down by GDPR, the penalties incurred may amount to 4% of global turnover or to €20 million. And these do not appear to be just for show, as the heavyweight Google recently learned to its cost. The American giant was sentenced by CNIL to a record fine of €50 million due to a lack of transparency in the use of its users’ personal data.