Have you heard about the European Union’s (EU) General Data Protection Regulation (GDPR)? Whether you are a buyer or supplier, you should immediately start asking within your organization how the new GDPR will impact your existing and future travel as well as meetings supplier agreements. The new regulations will affect almost every country in the world due to GDPR extending the EU data protection law to all foreign companies processing data of EU residents; regardless of where the company headquarters is located.
GDPR comes into enforcement on May 25, 2018, and is directly aimed at giving a greater data protection in the member countries of the EU (currently 28 countries, including the United Kingdom until Brexit). The total population directly impacted by GDPR in all of these countries is roughly 508 million people.
Data privacy and governance is the very core of GDPR. How companies address the new regulations will invariably impact their business processes. It will also add operational costs to every affected company as each will have to impose on-going audits, assessments and employ data protection experts as part of the newer and stricter data governance regulations under GDPR.
Those companies opting to ignore the GDPR will face stiff penalties for non-compliance to the tune of four percent of annual corporate revenues or 20M Euros, whichever is the greater of the two penalties!
The scope of personal data covered by GDPR is more than just name and address. It is also income information, health information, frequent flyer and frequent stay account information, birthday, age, food preference, allergy notifications, cultural and ethnic background information, etc.
There’s also regulations and guidelines as to how long the controller (data collector) can retain the information with mandatory purging of personal data.
Companies and their preferred supplier partners (processors) collect and retain data for their employee travel, meetings/event attendees, guests, etc. The GDPR will require a review and remedy for existing travel, meeting and event processes, supplier agreements, and a whole lot more. This kind of thoroughness will require time, budget and revised preferred supplier considerations for all business travel and corporate meeting and event leaders.
Time is running out for you to discuss with all of your preferred travel and meeting suppliers that collect personal data. You need to ensure that they are aware of GDPR, consent to comply with the regulations, and will be ready for the impending May 25, 2018 GDPR launch.
Tips on GDPR Readiness:
- Don’t rely on others to be GDPR ready; ask questions internally. Raise your hand and take the lead if necessary.
- Research and fully understand the defined roles within GDPR (controller – processor).
- Prepare a data audit of your existing internal and external processes; include your supplier (processor) partners in this exercise. For suppliers (processors), ask your clients if they are aware of GDPR and if not, let them know of the urgency and compliance date for readiness.
- Create new legal verbiage regarding GDPR compliance, adherence and liability expectations with all engaged controller and processor partners.
- Review and update all consent forms as well as create a data repository of all consent forms collected.
- Understand the new rights for individuals under GDPR.
- Identify and create an elimination process for any individuals requesting to opt out and/or requesting deletion of their personal data.
- Assign GDPR subject matter expertise to a team member and/or leverage an existing internal GDPR subject matter expert or department.
Kevin Iwamoto is a senior consultant at GoldSpring Consulting, an independent travel management consultancy. He has more than 30 years of experience in corporate travel and meetings/events management.