Many in India are working on the basis that the new EU regulations governing data protection do not affect them. That isn’t true. The majority of professionals either operate events in Europe or include delegates, speakers or participants from Europe, and need to adhere to the General Data Protection Act (GDPR) because the potential fines could bring down most small businesses!
The GDPR applies to the personal data processing by the controller or processor establishment in the European Union, regardless of whether the processing takes place in the EU or not. Ultimately, the change applies to almost all travel companies that offer products and services in Europe and process personal data of EU citizens as well as other users, located within its borders. This will mean that global online travel agents or, for instance, US airlines, will be directly regulated by the GDPR. For example, when an India-based hotel sells to EU travel agents or third-party wholesalers based in Europe, it falls under the Regulation. If you monitor the behaviour of users who are located within the EU, such as flight destinations and hotel booking in France, you must comply with the requirements. This approach affects the use of web analytics tools, data collection and tracking for personalisation and retargeting purposes. It also applies to website visits from users located in the EU, regardless of whether they are EU citizens or not.
The GDPR sets rules relating to the protection of people’s fundamental rights and freedoms regarding the processing of personal data. The regulation enforcement was made effective after a two-year transition period this year.
The regulation applies directly to all EU member states and has an extraterritorial scope as it enforces non-EU companies to comply with data protection obligations when processing personal information from any individual located in the EU. The purpose of the change is to give people easier access to their personal data that companies store, a new fining system, and a clear responsibility for the organisations to obtain consent from people whose information they collect. In some circumstances, companies need to appoint a data protection officer, who will be prepared for information requests from users. Data protection officers must respond to requests about the purpose of obtaining personal data and provide a copy of all user data if needed. Also, this role requires setting up the data deletion process.
According to the GDPR definition, ‘personal data’ means any information relating to a person that enables them to be identified directly or indirectly. The regulation lists some main identifiers such as name, identification number, location data, or some factors specific to the physical, cultural, or social identity of that person. From the travel industry aspect, personal data could include the following types and sources of information: ID/Passport details, names, postal addresses, race, origin, biometric data, contact information, email addresses, telephone numbers, digital data, photographs, videos, financial and payment information, HR records, current and former employee details.
The GDPR enforces extremely high penalties divided into two broad categories – the upper level is up to €20 million or four per cent of total worldwide annual global revenue for the latest financial year for major breaches. The lower level is up to €10 million or two per cent of total worldwide annual global revenue for the latest financial year for smaller breaches! Compare this penalty amount with the corresponding data breach in 2012, which can be considered a major one as 1,163,996 debit and credit card records were stolen from a travel agent. Back then, the fine amount was approximately US$255,000.
The amount of the fine depends on what article’s rules are violated. Generally, breaches of individual privacy rights and freedoms will be the subject of the upper level fines. Infringements of the controller or processor organisation’s obligations, including data security breaches, will result in the lower level fine.
I shall discuss the impacts, ramifications, compliance readiness and bottom line effect of GDPR on the Asia Pacific travel industry in my next blog. Meanwhile, if you are gathering, storing, using or sharing data for Europe-based individuals or supply chains, beware and take advice!
The largest event to be held in the Arab World, Expo 2020 Dubai will be a long-term investment in the future of the country, impacting its economy by AED 122.6 billion (£26.5bn). “The Expo is a unique opportunity – we are building the Dubai Exhibition Centre – which is a brand new venue that will […]
India has the potential to become a tourism industry superpower but the lack of this government’s will to create an infrastructure for growth has resulted in dismal performances in preceding years, with inbound tourism limited to about half of the outbound tourism that the country generates. It is an industry ripe to be harvested for […]
India has climbed to second position after China in generating MICE business to Thailand. Corporate meeting and incentive travel comprises 40 per cent of the total outbound Indian visitors and 12 percent to Thailand are MICE travellers. India has recorded an 18 per cent growth in MICE visits to Thailand. Nitin Sachdeva, director of the […]
Thailand will build a new convention centre on its East coast to attract events related to high-tech industries. Thailand Convention and Exhibition Bureau (TCEB) president Chiruit Isarangkun Na Ayuthaya says a feasibility study has been conducted and the new venue will be located in one of three provinces: Rayong, Chonburi or Chachoengsao. Subject to final […]
KLM Royal Dutch Airlines is extending its connections with India with new flights and increased frequencies in 2019. From October 31, it will introduce a thrice-weekly flight from Bengaluru to Amsterdam, operating Boeing 787-9 Dreamliner aircraft with a 294-seat capacity. This is expected to ease connections to onward destinations in Europe and USA through convenient […]