More data means more data at risk – but an effective strategy can help keep everyone’s information safe
Between industry data hacks, GDPR, privacy and all that jazz how does a buyer incorporate data security into their Phat Data strategy? It’s not as complex or as difficult as one might think, and it certainly cannot be ignored.
Protecting the PII (Personally Identifiable Information) of our travelers or meeting attendees is more important than ever. In May 2018 when the new GDPR regulations went into effect, the travel industry seems to have finally stood up and started thinking about data security and privacy in a new whole new light.
Suddenly lots of things changed!
Suddenly lots of things changed! Suppliers were updating their privacy agreements, providing consent statements on their websites and the like. Buyers were for the most part dependent on the suppliers to tell them they had this new GDPR thing covered. On the other side of the equation, most travel managers relied on their corporations to be in compliance.
So since buyers are relying on others to be compliant, we may not have been focused nearly as much as we should on the topic. The time has come when buyers need to be more actively engaged with data security and privacy concerns.
While data security is the same whether you are working with transient travel or meetings, the consent and utilization of data could have different outcomes. For example, if you are a meeting attendee, you have to give consent to share certain data, and if you don’t you may not be able to attend the event.
On the other hand, when an employee joins an organization and is required to travel for the company, there is a consent given that they will be required to share PII data and the company will protect that data. But if you choose not to give consent, it could mean that you can no longer be employed at that organization, which is a completely different impact than that of a meeting attendee.
The security may be the same, but outcomes are completely different. However in both cases, the traveler and meeting attendee have a right to understand how their data will be used. This is why it is so important for meeting managers and travel buyers to learn how to protect employees in a variety of scenarios. And it starts with understanding the roles and responsibilities around protecting personal data.
Who’s On First? If you are the one collecting the data, you are the Controller of that data (that is, your travelers provide their PII data to your company). When you utilize third parties and share that data (your company provides data about your travelers to your suppliers), those third parties are considered the Processors of the data.
So you have to know where your responsibilities begin and end. You also need to know the role the third parties play. “This is important because it’s going to tell you everything you need to know and everything you need to protect,” says Kevin Iwamoto, senior vice president at Goldspring Consulting.
Kevin has been an outspoken industry advocate around data security, GDPR and how it effects the travel and meetings industry. In a recent interview he stressed that as buyers we need to be in agreement with our Processors (third parties) on the rules they need to follow and what they can and can’t do with the data they are provided.
These aren’t necessarily conversations that occur on a regular basis. So what does a buyer or meetings manager need to do to get their arms around this big, important – and kind of scary – topic? Like everything we do around Phat Data, we have to start with our strategy.
Establish the Ground Rules Buyers should begin by doing a data privacy audit with their suppliers and incorporating the following facts:
• A list of who is actually touching their travel/meetings related data.
• Do they actually need access?
• What data do they really need in order to perform their work?
• What is the bare minimum?
• Can the data sets be anonymized?
If you uncover a potential gap in data security with a supplier, you need to be asking the supplier what the plans are to comply and what structural changes are being made.
The answers may be shocking to most buyers. There is a ton of data floating around in this industry and getting your arms around who needs what is an important task. It is also a challenging task; buyers may want to restrict certain PII data from going to certain suppliers because it is not needed, but the supplier’s infrastructure is not necessarily designed to make that happen.
Buyers must also understand that this is not a once and done kind of exercise – it should be an annual process. Make it part of your regular conversations with suppliers.
If you are entering into a new contractual agreement with a supplier make sure you include data security in your negotiations and let them know that this will be a regular discussion item going forward. Ensure that within the agreement you incorporate regular data privacy audits, so the supplier commits to participating and know it is coming each year.
Most companies have some sort of data protection/security team; buyers will want to engage with them in this process. Having had the experience of explaining how data gets transferred around in the travel space, I can tell you that talking with your data team is going to be a fun conversation. Just make sure you have that conversation long before you start talking to suppliers.
Kevin also recommends a few more items that buyers should understand specifically around GDPR. One of the key changes under the new regulations is that individuals have the right to be forgotten.
While we all have those travelers that we wish we could forget, this regulation can create complexities within the travel and meetings space. Imagine having to get all the data around one traveler completely eliminated. Without doing the data audit described above, trying to find all the touchpoints of an individual’s information would be a daunting task.
Plugging the GapsThe other key issue is what happens if there is a data breach. Who is ultimately responsible for advising travelers or meeting attendees? The rule according to GDPR is that individuals have to be notified by the Processor within 72 hours. That may sound easy, but what if you don’t know who should actually be the one doing the informing?
“That argument could last a lot longer than 72 hours,” says Kevin. That means including language in your supplier agreements on the topic of data breaches and the roles and responsibilities for all involved parties. “If not now, when?” asks Kevin. “Do not wait until you are caught up in a data breach. By then it’s too late.”
Suppliers get ready; buyers get started. Data security may have seemed like someone else’s responsibility but as travel buyers, we have a mountain of PII data generated by business travel and we must perform our due diligence and incorporate it into our Phat Data strategies.
The issue is only going to get bigger. We will continue to face new legislation and regulations around data privacy, and the more we prepare the easier it will be to manage in the long run.
Good luck and may the PII gods be with you!
Jennifer Steinke is vice president Global Travel Experience at WHoldings, and an industry thought leader with over 30 years experience managing corporate travel. She holds an MBA plus Certified Corporate Travel Executive (CCTE) and Global Travel Professional (GTP) certifications from GBTA. Jennifer strives to deliver innovative and thought provoking ideas to the corporate travel industry