Who would have thought four letters could cause such organisational angst? But that’s precisely what GDPR is doing. Even if you’re not yet au fait with the ins and outs of what GDPR is and how it will affect your business, I’m assuming you’ve heard of it – from the abundance of articles, to whisperings across marketing departments – and all with good reason.
GDPR is the General Data Protection Regulation and it’s a legal requirement from 25 May 2018, replacing the existing Data Protection Directive at European Union level and the UK Data Protection Act 1998. It applies to anyone handling data belonging to EU residents, which means it almost definitely will apply to your organisation.
Why’s it being introduced? Partly because of globalisation and the increasing number of businesses operating multinationally, and partly because of the growing digital economy we all operate in, which is also to a large degree responsible for the increased globalisation. The introduction of GDPR means data protection laws will now assume a level of international consistency and they also class digital footprints - IP addresses, cookies, MAC addresses – as personal data for the first time.
Like all things, the digital revolution and the increased level of access to personal data has both pros and cons. For organisations, it means we can understand our customers better and operate marketing campaigns that are better targeted and more efficient and cost effective. As a result, customers benefit from personalised content, tailored offerings, less spam and increased, more convenient, transaction speeds.
But the big downside to this amount of information being online is that it’s constantly open to abuse, attack and misuse by individuals and organisations. Just take a minute to Google ‘security breaches 2017’ and it soon becomes clear just how prolific data breaches are. These were the top three headlines on the website itgovernance.co.uk when I searched:
· Hacked video game company fined £60k by ICO
In March, a hack attack on ABTA exposed the personal details of 43,000 consumers and 650 tour operators and travel agents. Of course, that’s not a patch on the recent Ransomware attack that brought the NHS to its knees.
These incidents highlight clearly what a massive issue data protection and security really is and why, we, in the business travel industry, need to be at the top of our game. As an organisation that’s responsible for storing and transmitting data on thousands upon thousands of travellers, it’s crucial at CTM that we can reassure them – and our clients – that this information is being collected, stored and used both responsibly and with each person’s consent. And that’s what GDPR will do: introduce an accountability based framework for handling the way personal information is acquired, used and shared.
Oh, and just one more thing you need to know about GDPR – and the real reason why those four little letters are causing such organisational angst – companies who fail to comply with GDPR could result in a fine of up to €20 million (about £18 million) or 4 per cent of annual turnover, whichever is greater. My advice? 25 May isn’t so far away - if you haven’t already started planning for GDPR, I would start now.
This post was written by Karen Janssen, Chief Information Officer at Corporate Travel Management (CTM), a top ten global TMC exhibiting at the Business Travel Show in February. To register for a free visitor pass and meet up with CTM (stand B620) to discuss GDPR and all of your other travel management needs.