Next year a new set of data regulations will come into force that protect personal freedoms and shake up the travel industry.
The General Data Protection Regulation (GDPR) will begin on 25 May 2018. It replaces the Data Protection Directive of 1995 and reflects the world we live in, where personal information is at the core of many commercial transactions. The new regulation aims to protect all European Union (EU) citizens from privacy and data breaches and it will harmonise data privacy laws across the Union.
The requirements of the GDPR are unequivocal. It applies to all organisations proxcessing the personal data of anyone living in the EU, regardless of where that entity is located. And companies are duty-bound to ensure they are accountable for every piece of data they process or control.
Organisations used to be accountable through their country’s authorities and each authority policed data protection differently, resulting in diverging standards across the EU. Now, compliance is not an option and the new legislation brings uniformity. Breach of the GDPR is backed by hefty fines: €10 million or up to 2 per cent of a business’s annual turnover or €20 million or up to 4 per cent, depending on the infringement. “For the first time, data privacy laws have teeth,” says data protection officer for CWT Samantha Simms.
Simms continues: “The £850,000 in fines levied by the UK’s Data Protection Authority, the ICO, could be as high as £69million under GDPR fining rules. That equates to a 69 fold increase. A failure to get your house into order can have significant effect on a company’s balance sheet.”
Privacy by design is at the core of the regulation and means data protection should be included in the design of any process or system, rather than bolting it on as an after-thought. Transparency is key and that means consent has to be unambiguous. “True consent means I have the ability to say ‘no’ but still get the same desired outcome,” she says. “If I say no to receiving marketing promotions, I can still receive the same service. In travel, if I say ‘no, you cannot use my information’, it means we have to look at other legal basis for using personal information other than consent, otherwise, you can’t travel.”
Gone are the days of contorted legalese and soft opt in or opt out. Consent also has to be affirmative and indisputable; the wording has to be abundantly clear and the owner of the data has to confirm that they agree to their data being used in a certain way – and they have the right to withdraw consent at any time. In addition, -companies should understand how they use data and manage the personal information they are holding.
As a result, companies will need to be clear about legal basis for using personal data, collected according to the new GDPR requirements. In some cases companies will need to get fresh consent if their original means of collecting the information was not aligned with the strict rules under the GDPR.
“You need to say what you have, how you use it, why you use it, what security measures you have taken to protect it, whom you transfer it to and how long you keep it; organisations have to have clear rules on retention and deletion of information so that they cannot keep personal data for ever and go on to use it for other purposes. Organisations need to understand where the data goes within a company’s eco system and outside it. That is a huge undertaking,” says Simms.
In addition, data controllers have to notify data breaches to the supervising authority within 72 hours. Given the complex world of data and data transfers, identifying that an incident has taken place, where it has taken place and the data impacted is no easy task. This is where understanding the internal data landscape is critical. This knowledge allows the controller to refer to the register of processing activities, identify detailed information about the characteristics of the impacted data, and quickly put in place mitigating measures. Agreements with all recipients of EU data outside the EU must ensure they have the same level of responsibility as a company in the EU and given different cultures and interpretations of data protection, that could be a foreign concept to them.
Preparing for 2018
CWT has been preparing for GDPR for two years. “We are well on the way to being fully prepared for the GDPR,” she says. The company has redesigned its programme on privacy and put together work plans to ensure it achieves compliance.
For the first time, there is a mandatory requirement across Europe for a data protection officer. Typically, this applies to public sector organisations, one that is involved in the large-scale processing of sensitive personal information on a systematic basis or that is doing profiling or automated decision-making such as credit checks. Samantha Simms is CWT’s dedicated privacy professional, who steers the work programme with the support of other compliance and privacy directors. “We are also key contributors on a travel industry wide Code of Conduct, as recommended by the GDPR, and have started discussions with a small group within the industry.”
Simms explains that GDPR is not simply about ticking boxes to show compliance. “We work closely with the product and innovation teams to ensure that data privacy is a forethought for people using our technology.” She also believes in the rise of subject access and how good processes can “ensure people are able to access their data succinctly and easily”.