Many in India are working on the basis that the new EU regulations governing data protection do not affect them. That isn’t true. The majority of professionals either operate events in Europe or include delegates, speakers or participants from Europe, and need to adhere to the General Data Protection Act (GDPR) because the potential fines could bring down most small businesses!
The GDPR applies to the personal data processing by the controller or processor establishment in the European Union, regardless of whether the processing takes place in the EU or not. Ultimately, the change applies to almost all travel companies that offer products and services in Europe and process personal data of EU citizens as well as other users, located within its borders. This will mean that global online travel agents or, for instance, US airlines, will be directly regulated by the GDPR. For example, when an India-based hotel sells to EU travel agents or third-party wholesalers based in Europe, it falls under the Regulation. If you monitor the behaviour of users who are located within the EU, such as flight destinations and hotel booking in France, you must comply with the requirements. This approach affects the use of web analytics tools, data collection and tracking for personalisation and retargeting purposes. It also applies to website visits from users located in the EU, regardless of whether they are EU citizens or not.
The GDPR sets rules relating to the protection of people’s fundamental rights and freedoms regarding the processing of personal data. The regulation enforcement was made effective after a two-year transition period this year.
The regulation applies directly to all EU member states and has an extraterritorial scope as it enforces non-EU companies to comply with data protection obligations when processing personal information from any individual located in the EU. The purpose of the change is to give people easier access to their personal data that companies store, a new fining system, and a clear responsibility for the organisations to obtain consent from people whose information they collect. In some circumstances, companies need to appoint a data protection officer, who will be prepared for information requests from users. Data protection officers must respond to requests about the purpose of obtaining personal data and provide a copy of all user data if needed. Also, this role requires setting up the data deletion process.
According to the GDPR definition, ‘personal data’ means any information relating to a person that enables them to be identified directly or indirectly. The regulation lists some main identifiers such as name, identification number, location data, or some factors specific to the physical, cultural, or social identity of that person. From the travel industry aspect, personal data could include the following types and sources of information: ID/Passport details, names, postal addresses, race, origin, biometric data, contact information, email addresses, telephone numbers, digital data, photographs, videos, financial and payment information, HR records, current and former employee details.
The GDPR enforces extremely high penalties divided into two broad categories – the upper level is up to €20 million or four per cent of total worldwide annual global revenue for the latest financial year for major breaches. The lower level is up to €10 million or two per cent of total worldwide annual global revenue for the latest financial year for smaller breaches! Compare this penalty amount with the corresponding data breach in 2012, which can be considered a major one as 1,163,996 debit and credit card records were stolen from a travel agent. Back then, the fine amount was approximately US$255,000.
The amount of the fine depends on what article’s rules are violated. Generally, breaches of individual privacy rights and freedoms will be the subject of the upper level fines. Infringements of the controller or processor organisation’s obligations, including data security breaches, will result in the lower level fine.
I shall discuss the impacts, ramifications, compliance readiness and bottom line effect of GDPR on the Asia Pacific travel industry in my next blog. Meanwhile, if you are gathering, storing, using or sharing data for Europe-based individuals or supply chains, beware and take advice!
Thailand’s new eVisa On Arrival (eVOA) service for travellers from India and 20 other countries has been launched and is now available for travellers. The eVOA service is applicable for entry at Suvarnabhumi and Don Mueng airports in Bangkok, as well as at Phuket and Chiang Mai airports. The Government of Thailand has developed this […]
Used correctly, there’s no doubt social media can play a huge and positive role for conferences. But it can also have a derailing effect, with delegates lost in their feed, ignoring the carefully curated content being presented to them in the real world, according to personal development expert Ross McWilliam. “For all the obvious components […]
Qatar Airways is hoping to attract more Indian travellers with the introduction of a new online equated monthly instalment (EMI) payment scheme for bookings made on its website exclusively for customers with credit cards issued by Indian banks. The new payment option allows passengers to pay for their flight tickets through EMI over three, six, […]
India has further liberalised the e-visa norms and duration of stay for e-Tourist as well as e-Business visas to enable more seamless inbound visits. One of the changes is the decision to extend the duration of stay under e-Visa to one year with multiple entry. Previously, the duration of stay permitted under both e-Tourist and […]
Thailand Convention and Exhibition Bureau (TCEB) and Thai Airways International (TG) have launched a joint campaign for the year, ASEAN MaxiMICE, aimed at business events from Indonesia, Malaysia, Philippines, and Singapore. Under the ASEAN MaxiMICE scheme, advantages are offered to groups across three levels – sSilver for 40-99 delegates, Gold for 100-149 delegates and Platinum […]