Understanding GDPR and what it means for your travel programme

GDPR identifies three distinct categories over which it has power. A Data Subject is “a natural person whose personal data is processed by a controller or processor”. A Data Processor is “the entity that processes data on behalf of the Data Controller” whilst a Data Controller is “the entity that determines the purposes, conditions and means of the processing of personal data.”

Data processors will be subject to specific legal obligations and liabilities including the requirement to maintain records of personal data and processing activities. Data controllers are not relieved of their obligations where a processor is involved but remain subject to further obligations to ensure their contracts with processors are GDPR-compliant. “GDPR drives a data strategy which asks organisations to consider the right data, the right context and to do so in a way that is ethical, compliant and safeguards personal data as a fundamental human right,” says one industry commentator.


In practical terms, travel managers and suppliers alike will need to know what data they hold on their travellers, why they’re holding it and for what purpose. As a result corporates could re-think their strategies to mine data from multiple, disparate sources, whilst initiatives to provide more choice in corporate travel programmes based on travellers’ personal preferences, could be affected. At the very least GDPR will bring greater complexity and add a new dimension to compliance monitoring.

GDPR also includes a ‘profiling’ regulation which requires organisations to inform consumers if profiling is taking place. Consider the number of times a TMC might up-date a regular traveller’s profile during the course of a year and you get an idea of the challenges this will create for TMCs who are banking on collecting a lot of data to personalise services.

Despite GDPR having been four years in the making, travel industry associations have been slow to establish their position on GDPR. The Association of Corporate Travel Executives (ACTE) is reaching out to its membership “to better understand how the GDPR is directly affecting them and the steps they’re taking to implement it, as well as provide a platform for suppliers and travel executives to share dialogue, knowledge and best practices in a complicated international regulatory environment.”


The issues raised by the new legislation are as follows:

  • The data that powers all corporate travel programmes is crucial to buyers and suppliers alike. There are potentially multiple data security implications for each of the 190m business trips that will take place globally in 2017.
  • Every corporate/TMC, corporate/supplier and TMC/supplier will have to be reviewed to ensure that the data covered by the terms of that agreement is robustly protected.
  • Companies will have to re-learn respect for people’s data.
  • Everyone who touches travel data is affected by the legislation, forcing travel suppliers to implement strict compliance regimes.
  • GDPR is just one data law; more will follow from non-EU countries.

GDPR could also see the emergence of a new stakeholder into travel management. The boardroom could be very crowded once procurement, HR, and IT are joined by a new army of Data Protection Officers (DPOs). Over 75,0002 will be needed worldwide to police the GDPR - 28,000 in Europe and the US alone.


So how well prepared is the travel industry? Associations and suppliers who have already fallen victim to data breaches as a result of hacking will be especially nervous.

Cybersecurity attackers are becoming more and more adept at affecting more systems and are unlikely to be restricted in their reach. Businesses were the target of 40% of cyber attacks in 2016. Over 200,000 computers in 150 countries were affected by the WannaCry malware in March 2017 including FedEx, Britain’s National Health Service, and Spanish telecom giant Telefonica3 Under the new legislation, a business could be fined €20 million or 4% of turnover – whichever is the greater – for a data privacy breach through loss or hacking.

As with anti-corruption and Duty of Care legislation, the companies that regard the new rules as simply an extension of business best practice, or common sense, will prevail. TMCs are used to working with clients whose businesses demand total confidentiality and robust security. GDPR simply formalises the responsibilities many global TMCs have been practicing for years. They already have the processes and systems in place to give their clients the required comfort that their data is in good hands.


The onus is on airlines, hotel and car rental companies, train operators and payment card providers to ensure that there processes are fully compliant, and to make that compliance transparent. For everyone in the supply chain, data privacy is as much about brand (and corporate) reputation.

The long term implications of GDPR and its international offspring may also be positive. Companies’ data strategies could become simpler and more streamlined as they clarify their objectives and focus on mining essential data only. The regulation won’t prevent brands from learning more about their customers and employees and using that knowledge to hone their products and policies. They are just going to have to be smarter in the ways they go about it, focussing only on the relevant. The alternative could be rather costly.

Private eyes: learn how to love GDPR

You may also be interested in...