Editor's Blog

Why we non-Europeans must comply
Thu 11 Oct, 2018 at 12:00 am

I defined the EU’s General Data Protection Regulation (GDPR) and its implications on businesses dealing with clients in the EU in my last blog. I pointed out that being in India does not remove you from its jurisdiction. The EU’s reach is long and the massive potential fines pose an existential threat to most small to medium sized businesses so if you are ignoring its impact, you do so at your peril.

It is an enduring fact that all businesses operate within the parameters of laws in their countries. Often, some regulations that are not directly enforceable in their countries and are under a bigger international umbrella tend to be put on the back burner of recognition, acceptance and compliance.

GDPR has the best intentions, in an age where cybersecurity, encryption and embedded systems are only safe until the next malicious hacker shows up, as serious data breaches in an international hospitality chain, a major Japanese consortium, and a British association of travel agents have already gravely illustrated. GDPR has stirred up what could be a hornet’s nest, once the gravity and implications sink in with the travel industry and it acknowledges that such regulations have penal implications that cannot be ignored. Most travel businesses treat client data with a degree of care that their best practices allow or are governed by laws in their country. For instance, Australia has stringent privacy laws that demand very careful treatment of client information and stipulates the deletion of such data from the business records once the purpose of obtaining the data is complete. Nicolette Hughes, director of product strategy and innovation at The Association of Superannuation Funds of Australia commented: “We treat all such data as sacrosanct and abide strictly by Australian laws. Incorporating GDPR will not be very difficult considering we already follow a discipline in the data collection and storage practice.” For instance, information pertaining to dietary preferences is considered strictly confidential in Australia. So after each event a hotel or a PCO must delete such information.

Hugo Slimbrouck, director of strategic partnerships at Ovation Global DMC, considers GDPR to be “like an approaching train which does not seem to be moving fast till it is almost upon you.” Although grey areas remain, the interpretation of GDPR and its compliance processes for various types of travel businesses will not only affect the collection and use of personal client data but also affect the marketing of events as often contact information is available on websites which are then used to email such prospects. Now, one must seek permission to email them unless one can prove ‘legitimate interest’.

Mona Abdul Manap, ceo of Place Borneo, a Malaysian DMC states candidly: “Most companies are blissfully unaware of GDPR and are yet to take cognizance of the fact that they need to comply.” For many companies in Asia, much business is conducted with other Asian companies so the segment of business with EU is not significant. That leads to apathy and the lack of urgency to deal with such issues.

The additional cost of obtaining client information, storage and security, deletion and access to clients to exercise their option of retaining or deleting partial or complete data, as well as the appointment of a data protection officer, all adds to additional fixed expenses to be incurred. The cost implication is yet to be assessed.

Compliance with GDPR in Asia seems like a long haul at this nascent stage. Firstly, Asian companies need to understand the implications and extent of confidentiality of client information and how to deal with it. Secondly, the implications of penalties consequent to any breach of the norms need to be determined. Thirdly, the methodology of compliance, how easy or difficult it will prove to be, is complex.

But if you are working with EU clients or suppliers, you need to comply.

More Posts