Editor's Blog

Just because you are in India doesn’t mean you are innocent!
Tue 2 Oct, 2018 at 12:00 am

Many in India are working on the basis that the new EU regulations governing data protection do not affect them. That isn’t true. The majority of professionals either operate events in Europe or include delegates, speakers or participants from Europe, and need to adhere to the General Data Protection Act (GDPR) because the potential fines could bring down most small businesses!

The GDPR applies to the personal data processing by the controller or processor establishment in the European Union, regardless of whether the processing takes place in the EU or not. Ultimately, the change applies to almost all travel companies that offer products and services in Europe and process personal data of EU citizens as well as other users, located within its borders. This will mean that global online travel agents or, for instance, US airlines, will be directly regulated by the GDPR. For example, when an India-based hotel sells to EU travel agents or third-party wholesalers based in Europe, it falls under the Regulation. If you monitor the behaviour of users who are located within the EU, such as flight destinations and hotel booking in France, you must comply with the requirements. This approach affects the use of web analytics tools, data collection and tracking for personalisation and retargeting purposes. It also applies to website visits from users located in the EU, regardless of whether they are EU citizens or not.

The GDPR sets rules relating to the protection of people’s fundamental rights and freedoms regarding the processing of personal data. The regulation enforcement was made effective after a two-year transition period this year.

The regulation applies directly to all EU member states and has an extraterritorial scope as it enforces non-EU companies to comply with data protection obligations when processing personal information from any individual located in the EU. The purpose of the change is to give people easier access to their personal data that companies store, a new fining system, and a clear responsibility for the organisations to obtain consent from people whose information they collect. In some circumstances, companies need to appoint a data protection officer, who will be prepared for information requests from users. Data protection officers must respond to requests about the purpose of obtaining personal data and provide a copy of all user data if needed. Also, this role requires setting up the data deletion process.

According to the GDPR definition, ‘personal data’ means any information relating to a person that enables them to be identified directly or indirectly. The regulation lists some main identifiers such as name, identification number, location data, or some factors specific to the physical, cultural, or social identity of that person. From the travel industry aspect, personal data could include the following types and sources of information: ID/Passport details, names, postal addresses, race, origin, biometric data, contact information, email addresses, telephone numbers, digital data, photographs, videos, financial and payment information, HR records, current and former employee details.

The GDPR enforces extremely high penalties divided into two broad categories – the upper level is up to €20 million or four per cent of total worldwide annual global revenue for the latest financial year for major breaches. The lower level is up to €10 million or two per cent of total worldwide annual global revenue for the latest financial year for smaller breaches! Compare this penalty amount with the corresponding data breach in 2012, which can be considered a major one as 1,163,996 debit and credit card records were stolen from a travel agent. Back then, the fine amount was approximately US$255,000.

The amount of the fine depends on what article’s rules are violated. Generally, breaches of individual privacy rights and freedoms will be the subject of the upper level fines.  Infringements of the controller or processor organisation’s obligations, including data security breaches, will result in the lower level fine.

I shall discuss the impacts, ramifications, compliance readiness and bottom line effect of GDPR on the Asia Pacific travel industry in my next blog. Meanwhile, if you are gathering, storing, using or sharing data for Europe-based individuals or supply chains, beware and take advice!

More Posts