GDPR and Its Implications for Corporate Travel
In this digital age, where technology has been thoroughly ingrained in people’s minds, keeping personal information protected and secure is the new norm. Starting mid-2018, the General Data Protection Regulation (GDPR) will fundamentally reshape how private data is collected and used for EU residents. It will affect how the EU, and potentially the world, handles and secures the private information of its users. With something of this scale, it is certain to affect many other areas, including business travel.
Impact on Travel
Global travel management companies (TMCs) and online travel agents (OTAs) will directly fall under the umbrella of the GDPR. This approach affects the use of web analytics tools, data collection and tracking for personalization and retargeting purposes. It also applies to website visits from users located in the EU, regardless of whether they are EU citizens or not.
For example, if a TMC has a U.S.-based, multinational client and is trying to get the employees of its client's French subsidiary to come into its travel program via a website aimed at them, the GDPR will apply because the TMC is targeting EU residents. On the other hand, if the client sends a worldwide mandate requiring all its employees to sign up with the TMC, the rules don't apply because the TMC is targeting everyone.
With the ideal travel experience steadily veering toward personalization and customization, storing client preferences and using this information to shape future bookings has become an integral part of the streamlined service TMCs offer to travelers. TMCs will now need to find ways to customize travel itineraries, while minimizing client risk through methods of storing personal data.
Direct Sourcing Implications
A TMC contracts a vast list of suppliers in their line of business. From online booking & payment solutions to airlines, hotels and car rentals, and even sharing economy providers such as Uber and Airbnb, all fall under the spectrum of a TMC supplier. TMCs must ensure that all these suppliers adhere to the GDPR.
Travel suppliers such as airlines, hotels and car rental companies are data controllers under the GDPR. In many cases, transmitting necessary employee data to these suppliers is not dependent on consent from the traveler, as the information is critical to delivering the services that are purchased and in certain instances is required by government entities for all regulatory purposes.
Corporates, who are considered data controllers and thus accountable for their traveling employees’ data, must do their own due diligence to ensure that the entirety of their travel program complies with the GDPR. A part of that could be talking to their TMCs as well as suppliers about how they handle their travelers’ data, verifying if they are meeting the GPDR requirements as a data controller and implementing strict compliance regimes.
Companies must be ready to adapt their personalization processes too. GDPR gives companies an opportunity to stop spamming their users and deliver more explicit, valuable personalization instead. If travel companies manage to introduce clear communication and allow travelers to shape promoted travel offers, there will be a real value in meaningful and up-to-date personalization.
Role of Procurement
The onus is on procurement to be the harbingers of change by making airlines, hotel and car rental companies, and payment card providers ensure that their processes are fully compliant, and to make that compliance transparent. It falls to procurement to minimize and effectively manage data protection risk in the supply chain. Under the new regulation, companies will also need robust supplier risk management processes in place for managing third-party relationships and assessing the risks to which they’re exposed.
While the GDPR will affect almost all travel industry players, it could be an opportunity rather than a threat. It nudges travel businesses to build trustful relationships with customers by providing valuable propositions to them. Companies’ data strategies could become simpler and more streamlined as they clarify their objectives and focus on mining essential data only.