Many in India are working on the basis that the new EU regulations governing data protection do not affect them. That isn’t true. The majority of professionals either operate events in Europe or include delegates, speakers or participants from Europe, and need to adhere to the General Data Protection Act (GDPR) because the potential fines could bring down most small businesses!
The GDPR applies to the personal data processing by the controller or processor establishment in the European Union, regardless of whether the processing takes place in the EU or not. Ultimately, the change applies to almost all travel companies that offer products and services in Europe and process personal data of EU citizens as well as other users, located within its borders. This will mean that global online travel agents or, for instance, US airlines, will be directly regulated by the GDPR. For example, when an India-based hotel sells to EU travel agents or third-party wholesalers based in Europe, it falls under the Regulation. If you monitor the behaviour of users who are located within the EU, such as flight destinations and hotel booking in France, you must comply with the requirements. This approach affects the use of web analytics tools, data collection and tracking for personalisation and retargeting purposes. It also applies to website visits from users located in the EU, regardless of whether they are EU citizens or not.
The GDPR sets rules relating to the protection of people’s fundamental rights and freedoms regarding the processing of personal data. The regulation enforcement was made effective after a two-year transition period this year.
The regulation applies directly to all EU member states and has an extraterritorial scope as it enforces non-EU companies to comply with data protection obligations when processing personal information from any individual located in the EU. The purpose of the change is to give people easier access to their personal data that companies store, a new fining system, and a clear responsibility for the organisations to obtain consent from people whose information they collect. In some circumstances, companies need to appoint a data protection officer, who will be prepared for information requests from users. Data protection officers must respond to requests about the purpose of obtaining personal data and provide a copy of all user data if needed. Also, this role requires setting up the data deletion process.
According to the GDPR definition, ‘personal data’ means any information relating to a person that enables them to be identified directly or indirectly. The regulation lists some main identifiers such as name, identification number, location data, or some factors specific to the physical, cultural, or social identity of that person. From the travel industry aspect, personal data could include the following types and sources of information: ID/Passport details, names, postal addresses, race, origin, biometric data, contact information, email addresses, telephone numbers, digital data, photographs, videos, financial and payment information, HR records, current and former employee details.
The GDPR enforces extremely high penalties divided into two broad categories – the upper level is up to €20 million or four per cent of total worldwide annual global revenue for the latest financial year for major breaches. The lower level is up to €10 million or two per cent of total worldwide annual global revenue for the latest financial year for smaller breaches! Compare this penalty amount with the corresponding data breach in 2012, which can be considered a major one as 1,163,996 debit and credit card records were stolen from a travel agent. Back then, the fine amount was approximately US$255,000.
The amount of the fine depends on what article’s rules are violated. Generally, breaches of individual privacy rights and freedoms will be the subject of the upper level fines. Infringements of the controller or processor organisation’s obligations, including data security breaches, will result in the lower level fine.
I shall discuss the impacts, ramifications, compliance readiness and bottom line effect of GDPR on the Asia Pacific travel industry in my next blog. Meanwhile, if you are gathering, storing, using or sharing data for Europe-based individuals or supply chains, beware and take advice!
The Kuala Lumpur Convention Centre (KLCC) will add 11,000 sq m of flexible, multi-purpose space to bring its total space inventory to 33,659 sq m this year, enabling organisers to host multiple concurrent events and congresses. The additional space, which will have a direct link to the existing facility, is comprised of a large foyer […]
For a meeting destination to gain popularity and staying power to attract clients, it takes more than just a pretty face. The city can be scenic and beautiful with a lot of natural beauty but for meeting clients you need to expand the horizon, just a wee bit more. Firstly clients prefer direct flights to […]
Bahrain recorded a 43 per cent jump in visitor arrivals from India in 2018, with a big increase in incentive travel, with an 80 per cent increase in revenue. Bahrain Tourism & Exhibitions Authority (BTEA), which opened an office in India in January 2017, has been aggressively promoting the destination to the MICE and leisure […]
Eurail, the pan-European rail network, has announced a substantial 37 per cent permanent reduction in prices on all passes for outbound Indian travellers and global tourists to mark its 60th anniversary. The summer season is popular for Indian incentive tours as well as leisure travel and the preferential pricing is likely to lead to a […]
Penang Convention & Exhibition Bureau (PCEB) has won the bid to host the inaugural ICCA (International Congress and Convention Association) Asia Pacific Chapter Summit 2019, to be held from 5 – 6 December this year. The ICCA Asia Pacific Chapter Summit organised by the ICCA Asia Pacific Chapter and co-hosted by PCEB and Anderes Fourdy, […]