In less than a month, a new EU-wide data privacy laws will come into effect, with the threat of significant fines for non-compliant organisations. The General Data Protection Regulation (GDPR) – is the culmination of four years of efforts to update data protection in today digital age, in which people regularly grant permissions to use their data for a variety of reasons – booking a chauffeured ride, for instance.
GDPR will replace the Data Protection Act 1998, which was brought into law as a way to implement the 1995 EU Data Protection Directive. When implemented, organisations who will be found in breach of the new rules could face penalties of 4% of their annual global turnover or €20 million – whichever is greater.
To Whom Does the GDPR Apply To?
Data controllers and processors need to comply with the new rules once the GDPR come into effect on May 25, 2018. According to GDPR lexicon, a data controller is responsible for how and why personal data is processed, while a processor is responsible for doing the actual processing of the customer’s data. Basically, the controller could be any organisation – a private company, a charitable foundation, or a government agency. A processor could be an IT firm contracted for data processing.
GDPR places heavier legal responsibilities to processors, i.e. they are required to maintain stringent records of data activities and will have significantly more legal liabilities if they fail to establish proper supervisory systems in place.
What are the Important Aspects of the GDPR?
- Increased Classifications Under ‘Personal Data’ – The definition of ‘personal data’, is widening, further protecting individuals. Online identifiers, like IP addresses, are now included as data that should be protected.
- The inclusion of Non-EU Countries– If an organisation is in the EU, offers goods or services to individuals in the EU, or monitors behaviour of individuals in the EU, they will be required to abide by the same GDPR requirements and standards for their data security.
- Increased Fines– If any of these organisations does not comply, it can lead to fines up to 20 million EUR or up to 4% of the total worldwide annual turnover of the preceding financial year.
- Higher Standard for Consent – The GDPR also creates a higher standard for consent for the individual, for collecting, using, storing, and processing their data. Consent will be voluntary, without the use of pre-ticked boxes, silence, or inactivity not constituting as consent. It will also be easier to revoke consent.
- Tighter Breach Notification Requirements– If a company’s data is breached, they are required to report the data breach to the data protection authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach.
- Tighter Data Protection in New Products– Moving forward, data protection must be considered from the onset of new technologies and products. No longer will it be an afterthought, quickly solved post-launch.
How Will the GDPR Impact Business Travel?
The forthcoming implementation of GDPR means a lot to many business travel organisations which operate or have clients in EU. Global online travel agents or, for instance, UK airlines, will be directly regulated by the GDPR. When a New York-based hotel sells to EU travel agents or third-party wholesalers based in Europe, for instance, it falls under the new regulation.
If the business monitors the behaviour of clients who are located within the EU, such as chauffeured transport destinations and hotel booking in Spain, then they must comply with the requirements. This approach impacts the use of web analytics tools, data collection and tracking for personalisation and retargeting purposes. It also applies to website visits from users located in the EU, regardless of whether they are EU citizens or not.
From the business travel industry aspect, personal data could include the following types of information:
- ID / Passport details: names, postal addresses, race, origin, biometric data
- Contact information: email addresses, telephone numbers
- Digital data: photographs and videos
- Sensitive data: financial and payment information
- HR records: current and former employee details
Overall, travel companies will now need to provide their business clients new ways of making travel itineraries – all without compromising the client’s data protection security. All relevant parties – travel managers, airlines, hotels, and ground transportation companies – have to work together to ensure 100% compliance before the new rule rolls out.
Wherever you plan to go this 2018 – for business, for pleasure, or both – we are looking forward to providing only the finest premium chauffeured service you will ever experience. Contact us today know more about our premium chauffeured services.