If you’ve noticed an increase in the number of emails coming through recently about companies updating their terms of service or privacy policies—especially those changes that are going into effect on May 25, 2018—that’s not a coincidence. These companies, Savoya included, are getting ready for the implementation of the European Union’s General Data Protection Regulation (GDPR).
But what is the GDPR, and why should it matter to you? What kind of GDPR response should you expect from your travel providers? Let’s answer these questions and more as we approach the upcoming rollout deadline:
What is the GDPR?
The implementation of GDPR on May 25, 2018 comes on the heels of nearly four years of negotiating within the EU on how to best strengthen existing data privacy laws. To that end, explains Trunomi’s GDPR site:
“The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way organizations across the region approach data privacy.”
Though the GDPR is notably light on the specifics of what companies need to do to stay compliant, analysts have identified several core responsibilities that will affect any business that serves EU citizens, including the need to:
- Demonstrate valid grounds for collecting and processing personal data
- Inform subjects on what is being collected and why
- Keep records of all data processing activities
- Ensure the security of these processing activities and any stored data
- Enable subjects to request access to or the deletion of their stored personal data
- Report data breaches and inform anyone affected about the potential impact of the breach in a timely manner
There’s a lot more “legalese” to the full GDPR text, but effectively, it boils down to better protection for consumers’ personal data - which encompasses anything that can be used to directly or indirectly identify a user (including not just names and Social Security numbers, but email addresses, IP addresses, social media usernames and more).
Why Should You Care?
Both businesses and individuals have a vested concern in personal data protection.
Consumers should care about regulations like GDPR, given that 17.6 million people in the US experience some form of identity theft each year, and that the average financial impact of these thefts is $1,343 (not to mention the associated emotional impact).
Perhaps unsurprisingly, the RSA Data Privacy & Security Report, which surveyed 7,500 consumers in France, Germany, Italy, the UK and the U.S., found that:
- 80% of consumers said lost banking and financial data is a top concern
- Lost security information (e.g., passwords) and identity information (e.g., passports or driving license) was cited as a concern of 76% of the respondents
- 62% of all respondents said they would blame the company that lost their data, even before blaming hackers
In addition to meeting this growing demand for transparency and responsibility, businesses’ bottom lines are threatened by the potential financial impact of personal data breaches. IBM’s 2017 Ponemon Cost of Data Breach Study found that:
- The global average cost of a data breach is $3.62 million
- The average cost for each lost or stolen record containing sensitive and conﬁdential information is $141
- Companies in this year’s study are having larger breaches. The average size of the data breaches in this research increased to more than 24,000 records.
As the techniques used by hackers to trigger data breaches and access personal information increase in sophistication, all consumers must be concerned about how data is stored and protected—and that includes those who regularly use ground transportation providers.
What Should You Ask Your Ground Travel Providers?
Technically, companies are only required to be GDPR compliant if they “store or process personal information about EU citizens within EU states, even if they do not have a business presence within the EU,” according to CSO Senior Editor Michael Nadeau.
If your ground transportation providers are small, locally-owned garages or individual operators, they’re unlikely to be GDPR ready—nor do they need to be.
However, it’s worth noting that the principles underlying the GDPR aren’t just a set of arbitrary obligations hashed out by a foreign governing body. They’re best practices that all companies benefit from adopting now - whether they’re obligated to do so or not.
To that end, we recommend asking your ground travel providers the following questions:
- What personal information do you capture?
- What steps are you taking to protect this data?
- Are you required to be GDPR compliant?
- Are you GDPR ready?
- If not, why?
Keep in mind that, in the course of doing business, your ground transportation provider has access to everything from your travelers’ personal contact information to your payment methods and more. A breach on your ground transportation provider’s end could compromise this information, putting you, your traveler and your entire company at risk.
Full GDPR compliance across the ground travel space may not be a reasonable goal, but that doesn’t mean you can ignore the importance of personal data protection. Be proactive by asking about GDPR readiness or other data security protocols at every stage of your traveler’s journey.
To learn more about what Savoya has done to become GDPR ready, check out our news release on the topic. Or, if you have questions about what GDPR means for ground transportation providers, leave us a note below in the comments.