Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

GDPR for Travel Companies

536 views

Published on

GDPR for Travel Companies: What You Need to Know and Do.

When Paul Hewett, Commercial Director of In Marketing We Trust met Tim Bell, Managing Director of DPR Group (Data Protection Representatives Group) at SXSW earlier this year, IMWT partnered with DPR to bring you this webinar on GDPR for Travel Companies + a FREE GDPR framework to help you comply.

These slides cover:
*GDPR for Travel Companies: Explained Simply
*"Global" GDPR
*Why Travel Companies Need to Pay Close Attention
*GDPR Compliance Obligations for Travel Companies
*GDPR: How to Comply
*Plus much more

Get more information and download your FREE GDPR Framework: https://www.inmarketingwetrust.com.au/gdpr-travel-companies-free-gdpr-framework

Published in: Data & Analytics

GDPR for Travel Companies

  1. 1. THE GLOBAL IMPACT OF GDPR FOR TRAVEL WHAT YOU NEED TO KNOW AND DO
  2. 2. CO- HOSTING TODAY PAUL HEWETT Commercial Director In Marketing We Trust “...we help travel brands get more customer and make more sales!” TIM BELL Managing Director DPR Group “...we represent our non-EU clients in Europe” A marketer and lawyer walk into a bar in Texas...
  3. 3. DISCLAIMER This session will provide general comments on the obligations under GDPR and some actions which can be taken to move towards compliance. It is not intended to be a comprehensive description of GDPR, and is not a substitute for full legal advice, which should be sought before drawing any conclusions on your particular circumstances. 3
  4. 4. WHAT WE’LL COVER TODAY 1. WHY GDPR MATTERS TO NON-EU COMPANIES 2. WHY GDPR MATTERS FOR TRAVEL COMPANIES BUT FIRST... 4
  5. 5. PERSONAL DATA Personal data is becoming more, well, personal! 5 DATA
  6. 6. 6 PERSONAL DATA IS GROWING Each day we leave a trail of personal data across the web which is being and collected by companies. ...And the volume of personal data just keeps growing
  7. 7. 7
  8. 8. 8
  9. 9. 9 DAT AWHEN PERSONAL DATA GOES BAD
  10. 10. 10
  11. 11. 11 ● 2011 Max Schrems brings action against Facebook in Ireland for breach of privacy laws – Facebook disables facial recognition software ● 2013 Following Snowden revelations, Schrems brings further action, resulting in collapse of US- EU ‘Safe Harbour’ for data transfers ● 2018 Belgian data protection authority requires Facebook to stop tracking non-Facebook users and delete data collected unlawfully using cookies (fined $311,000 per day for non- compliance)
  12. 12. 12 ● 2016 WhatsApp lose case in Holland for not appointing a local Data Protection Representative – €1m fine ● 2017 French data protection authority demands WhatsApp stop sharing data with (owner) Facebook
  13. 13. 13 ● 2016 UBER suffers massive data breach, losing the personal data of around 57,000,000 drivers and passengers ● 2017 UBER admit to data breach, and paying off the hackers
  14. 14. INTRODUCING ‘GLOBAL’-GDPR What is the GDPR and why you NEED to know about it. 14
  15. 15. ▹ EU law on data protection and privacy ▹ All individuals within the EU ▹ Gives individuals within the EU control of their personal data ▹ Replaces the 1995 data Protection Directive ▹ Adopted into law 27-April-2016 ▹ Becomes enforceable 25-May-2018 15 WHAT IS THE GDPR
  16. 16. GDPR is directly enforceable against Australian, Asian, American and all non-EU companies. 16 WHY GDPR MATTERS TO YOU
  17. 17. ▹ Increased ‘Territorial Scope’ ▹ Article 3(2) ▹ Any organisation which collects and/or processes the data of EU data subjects is required to meet the obligations of the GDPR ▹ Regardless of their location 17 GDPR IS GLOBAL
  18. 18. 18 PENALTIES The risk for your organisation is significant. ▹ Large non-compliance fines ▹ Globally enforceable ▹ From 25-May-2018 €20,000,000 4% GLOBAL REVENUE
  19. 19. 19 PENALTY POTENTIAL $4.4 billion $2 billion $2 billion
  20. 20. 20 GLOBAL ENFORCEABILITY PAUL Authorities intend to enforce globally. It’s not in the EU’s interest to allow non-EU organisations breach data protection laws.
  21. 21. 21 GDPR IS AN OPPORTUNITY Consumers are becoming more data savvy by the day, getting data privacy is a good business decision. ▹ Tell your customers why you need their data ▹ Tell them what you’re doing with their data ▹ Tell them what you
  22. 22. 22 GDPR IS AN OPPORTUNITY 1. Ask your customers for consent to use their data. 2. Tell your customers what you’ll do with the data. 3. Tell your customers how you’ll protect their data. BE TRANS - PARENT. TELL YOUR CUSTOMERS WHAT YOU’RE DOING AND WHY.
  23. 23. TRAVEL WEBSITES SHOULD PAY CLOSE ATTENTION Most travel businesses are global. Weather they like it or not! 23
  24. 24. 24 Hotel.sg Theme Park.sg Car Rental.sg Germany United Kingdom Australia USA Travel websites are more at risk than most other ccTDL websites because they attract non-domestic customers. TRAVEL IS A GLOBAL MARKET
  25. 25. If you’re like other online travel companies, it’s likely you’re capturing data from EU users already… Even if you have country code top-level domains. 25 HIDDEN EU CUSTOMERS
  26. 26. You may be capturing personalised data the minute your web tags start firing. Some of this is personal data. 26 HERE’S HOW IT WORKS Analytics Anonymous Personalisation Advertising Sign Ups Web Forms Progressive Profiling Transaction
  27. 27. You may even be capturing high-risk PII data in your web analytics. ▹ Data Protection Breach ▹ Against Google Terms 27 PII DATA
  28. 28. WHAT YOU NEED TO KNOW What you need to know about GDPR as a non-EU company. 28
  29. 29. 29 GDPR - CONCEPTS DATA SUBJECT The data subject is the owner of the data and owns the rights to their data. CONTROLLER/PROCESSOR Collectors and processors are granted permission to your data by the data subject.
  30. 30. PERSON (SUBJECT) CONTROLLER PROCESSOR SUB PROCESSOR Data Owned Data “Borrowed” for purpose of use. PersonalDataBreach 30 KEY CONCEPT The data subject owns their personal data. As a data controller or processor, you may collect and use the data with the strict permission of the data subject (some exclusions within Article 6). In most cases, the data subject has the right to access and restricted use of their personal data.
  31. 31. 31 WHAT IS A DATA SUBJECT “Data subject” is a human. ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
  32. 32. 32 DATA SUBJECT RIGHTS 1. The right of access 2. The right to rectification 3. The right to right to erasure 4. The right to restrict processing 5. The right to be informed 6. The right to data portability 7. The right to objective 8. Automated decision making 8 DATA SUBJECT RIGHTS
  33. 33. 33 PRINCIPLES ▹ Lawfulness, fairness and transparency ▹ Purpose Limitation: specified, explicit and legitimate purpose ▹ Data Minimization: adequate, relevant and limited to purpose ▹ Accuracy: accurate and up-to-date ▹ Storage Limitation: no longer than is necessary for the purpose ▹ Integrity and confidentiality: appropriate security ▹ Accountability: be responsible and demonstrate compliance
  34. 34. 34 YOUR OBLIGATIONS ● More ‘state of mind’ than law ● Requires organisations to have data protection ingrained in their culture PRIVACY BY DESIGN & DEFAULT
  35. 35. 35 YOUR OBLIGATIONS LAWFUL BASIS FOR PROCESSING You must have a lawful basis for collecting and processing data. ● Typically, assumed to be consent ● Freely given, specific, informed and unambiguous ● Clear affirmative action (pre-ticked box not adequate)
  36. 36. 36 YOUR OBLIGATIONS LAWFUL BASIS FOR PROCESSING BUT there are other justifications for processing personal data, including: ○ Contractual Obligation ○ Legal Obligation ○ Vital Interest to individual ○ Public interest ○ Legitimate Interest
  37. 37. 37 YOUR OBLIGATIONS DATA PROTECTION OFFICER Organisation that must appoint a Data Protection Officer ● It is a public authority, ● Its core activities involve “regular and systematic monitoring of data subjects on a large scale”, or ● Its core activities involve processing of ‘sensitive’ data on a large scale
  38. 38. 38 YOUR OBLIGATIONS DATA PROTECTION OFFICER ● Required to manage and oversee data protection program ● Can be outsource - with care ● Internal appointment - recommended
  39. 39. 39 YOUR OBLIGATIONS EU DATA PROTECTION REPRESENTATIVE An organisation must appoint a Representative where: ● It processes the data of individuals in the EU ● It is not established in the EU ● (Exclusions for public sector, “occasional” processing)
  40. 40. 40 YOUR OBLIGATIONS EU DATA PROTECTION REPRESENTATIVE ● Purpose: allows EU-based persons and authorities to contact the processor ● Why hidden? ○ Most material on GDPR comes from the EU ○ This obligation does not apply to EU- based organisations
  41. 41. 41 YOUR OBLIGATIONS EU DATA PROTECTION REPRESENTATIVE European irony at its best ● Although the obligation is hidden, failure to comply is clear – the Representative should be clearly identified to allow contact ● Real potential for fines – e.g. WhatsApp (up to €1m)
  42. 42. 42 YOUR OBLIGATIONS PROCESSING AGREEMENTS Where the data controller appoints a data processor, there must be a contract which sets out: ● Subject-matter, duration, nature and purpose of the processing ● That the processor will only process on the instructions of the controller ● Any non-EU countries where the personal data will be processed ● And more…
  43. 43. 43 YOUR OBLIGATIONS PROCESSING AGREEMENTS Where the data processor appoints a sub- processor, an equivalent contract must be put in place between the processor and sub- processor ● It is likely these contracts will end up being in place between two US-based companies, where one subcontracts processing work to the other
  44. 44. 44 YOUR OBLIGATIONS INTERNATIONAL TRANSFER ● When transferring data across international borders, there must be adequate protections in place. ● Some countries have been granted ‘equivalent’ status, confirming a level of legal protection of personal data equivalent to that in the EU ● Equivalent countries include Argentina, Israel, New Zealand, Canada (commercial organisations only)
  45. 45. 45 YOUR OBLIGATIONS INTERNATIONAL TRANSFER ● For US-EU transfers, the Privacy Shield has replaced the Safe Harbor agreement post-Snowden ● The Privacy Shield is open to criticism under GDPR if the US can’t give sufficient reassurances about government interception of data ● Organisations who wish to benefit from Privacy Shield must self-certify to the Department of Commerce
  46. 46. 46 YOUR OBLIGATIONS PRIVACY NOTICE Where personal data is collected, the data subject should be informed: ● the identity of the data controller and Data Protection Officer (if applicable) and how to contact them; ● why and where the data processing is being undertaken (including safeguards if being sent outside the EEA); ● how long the data will be kept; and ● the data subject’s right to object to the processing
  47. 47. 47 YOUR OBLIGATIONS SUBJECT ACCESS REQUEST A data subject (the individual) can issue a request to an organisation which is a data controller of their personal data to request (among other things): ● Details of the personal data they hold ● Correction of the personal data ● Erasure of the personal data (the “right to be forgotten”)
  48. 48. 48 YOUR OBLIGATIONS SUBJECT ACCESS REQUEST 1. Must respond within one month 2. Cannot charge for response 3. BUT can refuse excessive requests
  49. 49. 49 YOUR OBLIGATIONS DATA BREACH NOTIFICATIONS Where there has been a breach of personal data which could impact the rights and freedoms of the individual, the data controller must inform the relevant EU national data protection authorities within 72 hours of becoming aware
  50. 50. 50 YOUR OBLIGATIONS DATA BREACH NOTIFICATIONS ● If a high risk to the data subject, they must also be informed directly ● The processor is obliged to inform the data controller “without undue delay”
  51. 51. 51 YOUR OBLIGATIONS DATA PROCESSING RECORD ● An organisation must keep records of its processing activities for inspection ● Should include ○ What processing is undertaken ○ On what data ○ For what purpose ○ How are the rights and freedoms of individuals are protected
  52. 52. 52 YOUR OBLIGATIONS DATA PROCESSING RECORD ● An organisation must undertake an assessment of the impact on individuals’ rights when undertaking new processing activities, particularly using new technology ● Should include: ○ What processing is undertaken, on what data, for what purpose how are the rights and freedoms of individuals are protected
  53. 53. WHAT TO DO What you can do to demonstrate data protection compliance 53
  54. 54. 54 MAKING COMPLIANCE EASY We’ve created a GDPR (& Data Protection) Compliance framework to help Data Controllers and Data Processors become compliant. Here’s a summary of what to do... GDPR & Data Protection Hub
  55. 55. 55 UNDERSTAND YOUR RISK ▹ Evaluate your user, customer and employee data. ▹ Is there any data from within the EU ▹ If the answer is yes (even 1 person) ▹ You are required to comply with the regulation Look in your CRM, mailing lists and web analytics for EU data. Non-compliant
  56. 56. 56 APPOINT A YOUR DATA TEAM ● Appoint A DPO ● Appoint an EU Representative ● Appoint Data Protection Champions Place your screenshot here
  57. 57. 57 COMPLIANCE GAP ANALYSIS ● Controller and Processor ● Compliance evaluation ● Against 4 criteria ○ Transparency & Lawfulness ○ Individual Rights ○ Accountability & Governance ○ Security, international transfers and breaches
  58. 58. 58 KNOW YOUR DATA ● Know every data flow within your business ● Identify where the data is ● Identify where the data goes ● Identify who has access ● How long you need it for ● If it is a risk ● If it is being transferred outside the EU
  59. 59. 59 DOCUMENT PROCESSORS ● Identify all your processors and sub-processors ● Ensure they are compliant ● As a controller it’s your responsibility
  60. 60. 60 PROCESS FOR DATA EVENTS (REQUESTS) ● Ensure your staff and customers have a method to make a subject access request ● Make sure you have a process to handle the request
  61. 61. 61 ASSETS & PROCESS ● Get your assets together ● Get your processes together ● Communicate them ● Add a privacy notice to your site
  62. 62. 62 TRAIN YOUR TEAM ● Training is not a tick box exercise ● Train your staff on personal data protection ● Train your leaders on personal data protection ● Personal data protection as a concept ● Personal data protection as a culture
  63. 63. 63 PAUL HEWETT Commercial Director In Marketing We Trust paul@imwt.com.au twitter.com/pmhewett linkedin.com/in/pmhewett TIM BELL Managing Director DPR Group timbell@dpr.eu.com www.dpr.eu.com linkedin.com/in/timjbell1

×