In our digital age, keeping personal information protected and secure is a new normal. Not only do individuals need to be vigilant about security, but also the companies that handle their private information. New regulations from the European Union will inevitably enhance these protections; affecting not just EU residents but potentially globally. With something on this scale, it is certain to affect many other areas, including business travel, even in the U.S.
What’s going on?
Starting May 25, 2018, The European Union will be introducing a regulation that fundamentally reshapes how private data is collected and used for EU residents. Called the General Data Protection Regulation (GDPR), this change will affect how the E.U., and potentially globally, handles and secures the private information of its users. The EU, like most other nations, already has regulations about data security. Replacing the Data Protection Directive, the GDPR is extensive and more thoroughly defines data security. One of the biggest changes is that the Directive was implemented by each EU member state. The GDPR is a regulation, meaning it must be followed by the entirety of the EU.
Why is this important?
The entirety of the EU is updating their standards and practices of data collection. Any organizations based in an EU country will have to comply with these changes. But more extensively, any company involved in processing data of individuals from the EU, regardless of the location of their organization, will also be responsible for updating their data privacy to comply with the GDPR. Meaning, the GDPR will likely alter how the world processes and protects user data.
What are the specifics of the GDPR?
- Regulation – Because this is a regulation and not a law that needs to be enacted at the country level, there should be a greater degree of harmonization of data protection, across the EU in all industries.
- Increased protection of personal data – The definition of ‘personal data’, is widening, further protecting individuals. Online identifiers, like IP addresses, are now included as data that should be protected.
- All organizations, regardless of location, will be under the GDPR’s requirements – If an organization is in the EU, offers goods or services to individuals in the EU, or monitors behavior of individuals in the EU, they will be required to abide by the same GDPR requirements and standards for their data security.
- Increased fines – If any of these organizations does not comply, it can lead to fines up to 20 million EUR or up to 4% of total worldwide annual turnover of the preceding financial year.
- Consent requirements – The GDPR also creates a higher standard for consent for the individual, for collecting, using, storing, and processing their data. With clearer and less ambiguous language, consent protocol will be straightforward. Consent will be voluntary, without the use of pre-ticked boxes, silence, or inactivity not constituting as consent. It will also be easier to revoke consent.
- Breach notification standards – If a company’s data is breached, they are required to report the data breach to the data protection authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach.
- More thorough data protection in new products – Moving forward, data protection must be considered from the onset of new technologies and products. No longer will it be an afterthought, quickly solved post launch.
How will the GDPR influence business travel?
The GDPR will impact any company that stores or sells personal information about E.U. citizens. For example, let’s think about a hotel in the U.S. books a room for a business traveler from France. This hotel has the liability of observing to the GDPR’s regulations on data security for this European citizen, or potentially be fined. Basically, any company that requires gathering personal information to use at a later time, like name, birth date, credit card information, etc., will need to comply with the GDPR. This will affect not just business travel, but many other areas of industry as well.
Additionally, companies will need to find ways to protect user’s data and information, while also providing easy-to-use and accessible products. Our society is accustomed to immediate gratification and convenience. Keeping needed material like travel itineraries, preferences, and user information readily available, while also keeping it secure may also pose as a challenge.
At Christopherson, we take the issue of GDPR and data protection very seriously. We are currently working with an outside consulting firm to ensure we’re compliant with all new upcoming GDPR regulations. If you have any questions, thoughts, or concerns about our data security, please contact your account manager.