GDPR for Travel Companies: What You Need to Know and Do.
When Paul Hewett, Commercial Director of In Marketing We Trust met Tim Bell, Managing Director of DPR Group (Data Protection Representatives Group) at SXSW earlier this year, IMWT partnered with DPR to bring you this webinar on GDPR for Travel Companies + a FREE GDPR framework to help you comply.
These slides cover:
*GDPR for Travel Companies: Explained Simply
*"Global" GDPR
*Why Travel Companies Need to Pay Close Attention
*GDPR Compliance Obligations for Travel Companies
*GDPR: How to Comply
*Plus much more
Get more information and download your FREE GDPR Framework: https://www.inmarketingwetrust.com.au/gdpr-travel-companies-free-gdpr-framework
2. CO-
HOSTING
TODAY
PAUL HEWETT
Commercial Director
In Marketing We Trust
“...we help travel brands get more
customer and make more sales!”
TIM BELL
Managing Director
DPR Group
“...we represent our non-EU clients in
Europe”
A marketer and
lawyer walk into a
bar in Texas...
3. DISCLAIMER
This session will provide general comments on the obligations
under GDPR and some actions which can be taken to move towards
compliance.
It is not intended to be a comprehensive description of GDPR, and
is not a substitute for full legal advice, which should be sought
before drawing any conclusions on your particular circumstances.
3
4. WHAT WE’LL COVER TODAY
1. WHY GDPR MATTERS TO NON-EU COMPANIES
2. WHY GDPR MATTERS FOR TRAVEL COMPANIES
BUT FIRST...
4
6. 6
PERSONAL DATA IS
GROWING
Each day we leave a
trail of personal data
across the web which is
being and collected by
companies.
...And the volume of personal
data just keeps growing
11. 11 ● 2011 Max Schrems brings action against
Facebook in Ireland for breach of privacy laws –
Facebook disables facial recognition software
● 2013 Following Snowden revelations, Schrems
brings further action, resulting in collapse of US-
EU ‘Safe Harbour’ for data transfers
● 2018 Belgian data protection authority requires
Facebook to stop tracking non-Facebook users
and delete data collected unlawfully using
cookies (fined $311,000 per day for non-
compliance)
12. 12
● 2016 WhatsApp lose case in Holland
for not appointing a local Data
Protection Representative – €1m fine
● 2017 French data protection
authority demands WhatsApp stop
sharing data with (owner) Facebook
13. 13
● 2016 UBER suffers massive data
breach, losing the personal data of
around 57,000,000 drivers and
passengers
● 2017 UBER admit to data breach,
and paying off the hackers
15. ▹ EU law on data protection and privacy
▹ All individuals within the EU
▹ Gives individuals within the EU control of
their personal data
▹ Replaces the 1995 data Protection Directive
▹ Adopted into law 27-April-2016
▹ Becomes enforceable 25-May-2018
15
WHAT IS THE GDPR
16. GDPR is directly enforceable
against Australian, Asian,
American and all non-EU
companies.
16
WHY GDPR MATTERS TO YOU
17. ▹ Increased ‘Territorial Scope’
▹ Article 3(2)
▹ Any organisation which collects and/or
processes the data of EU data subjects is
required to meet the obligations of the
GDPR
▹ Regardless of their location
17
GDPR IS GLOBAL
18. 18
PENALTIES
The risk for your organisation is
significant.
▹ Large non-compliance fines
▹ Globally enforceable
▹ From 25-May-2018
€20,000,000
4% GLOBAL REVENUE
21. 21
GDPR IS AN OPPORTUNITY
Consumers are becoming more
data savvy by the day, getting
data privacy is a good business
decision.
▹ Tell your customers why you need their data
▹ Tell them what you’re doing with their data
▹ Tell them what you
22. 22
GDPR IS AN OPPORTUNITY
1. Ask your customers for
consent to use their data.
2. Tell your customers what
you’ll do with the data.
3. Tell your customers how
you’ll protect their data.
BE
TRANS -
PARENT.
TELL YOUR
CUSTOMERS WHAT
YOU’RE DOING AND
WHY.
23. TRAVEL WEBSITES SHOULD PAY
CLOSE ATTENTION
Most travel businesses are global. Weather
they like it or not!
23
25. If you’re like other online
travel companies, it’s
likely you’re capturing
data from EU users
already…
Even if you have country code top-level
domains.
25
HIDDEN EU
CUSTOMERS
26. You may be capturing
personalised data the
minute your web tags
start firing.
Some of this is personal data.
26
HERE’S HOW
IT WORKS
Analytics
Anonymous
Personalisation
Advertising
Sign Ups
Web Forms
Progressive Profiling
Transaction
27. You may even be
capturing high-risk PII
data in your web
analytics.
▹ Data Protection Breach
▹ Against Google Terms
27 PII DATA
28. WHAT YOU NEED TO KNOW
What you need to know about GDPR as a non-EU
company.
28
29. 29
GDPR - CONCEPTS
DATA SUBJECT
The data subject is the owner of
the data and owns the rights to
their data.
CONTROLLER/PROCESSOR
Collectors and processors are
granted permission to your data by
the data subject.
30. PERSON
(SUBJECT)
CONTROLLER
PROCESSOR
SUB
PROCESSOR
Data Owned
Data
“Borrowed” for
purpose of
use.
PersonalDataBreach
30
KEY CONCEPT
The data subject owns their personal
data.
As a data controller or processor, you may
collect and use the data with the strict
permission of the data subject (some
exclusions within Article 6).
In most cases, the data subject has the
right to access and restricted use of their
personal data.
31. 31
WHAT IS A DATA SUBJECT
“Data subject” is a human.
‘personal data’ means any information relating to an
identified or identifiable natural person (‘data
subject’); an identifiable natural person is one who can
be identified, directly or indirectly, in particular by
reference to an identifier such as a name, an
identification number, location data, an online
identifier or to one or more factors specific to the
physical, physiological, genetic, mental, economic,
cultural or social identity of that natural person.
32. 32
DATA SUBJECT RIGHTS
1. The right of access
2. The right to rectification
3. The right to right to erasure
4. The right to restrict processing
5. The right to be informed
6. The right to data portability
7. The right to objective
8. Automated decision making
8
DATA
SUBJECT
RIGHTS
33. 33
PRINCIPLES
▹ Lawfulness, fairness and transparency
▹ Purpose Limitation: specified, explicit and legitimate purpose
▹ Data Minimization: adequate, relevant and limited to purpose
▹ Accuracy: accurate and up-to-date
▹ Storage Limitation: no longer than is necessary for the purpose
▹ Integrity and confidentiality: appropriate security
▹ Accountability: be responsible and demonstrate compliance
34. 34
YOUR OBLIGATIONS
● More ‘state of mind’ than law
● Requires organisations to have
data protection ingrained in their
culture
PRIVACY BY
DESIGN &
DEFAULT
35. 35
YOUR OBLIGATIONS
LAWFUL BASIS
FOR
PROCESSING
You must have a lawful basis for
collecting and processing data.
● Typically, assumed to be consent
● Freely given, specific, informed and
unambiguous
● Clear affirmative action (pre-ticked
box not adequate)
36. 36
YOUR OBLIGATIONS
LAWFUL BASIS
FOR
PROCESSING
BUT there are other justifications for
processing personal data, including:
○ Contractual Obligation
○ Legal Obligation
○ Vital Interest to individual
○ Public interest
○ Legitimate Interest
37. 37
YOUR OBLIGATIONS
DATA
PROTECTION
OFFICER
Organisation that must appoint a
Data Protection Officer
● It is a public authority,
● Its core activities involve “regular and
systematic monitoring of data
subjects on a large scale”, or
● Its core activities involve processing
of ‘sensitive’ data on a large scale
39. 39
YOUR OBLIGATIONS
EU DATA
PROTECTION
REPRESENTATIVE
An organisation must appoint a Representative
where:
● It processes the data of individuals in the
EU
● It is not established in the EU
● (Exclusions for public sector, “occasional”
processing)
40. 40
YOUR OBLIGATIONS
EU DATA
PROTECTION
REPRESENTATIVE
● Purpose: allows EU-based persons and
authorities to contact the processor
● Why hidden?
○ Most material on GDPR comes from
the EU
○ This obligation does not apply to EU-
based organisations
41. 41
YOUR OBLIGATIONS
EU DATA
PROTECTION
REPRESENTATIVE
European irony at its best
● Although the obligation is hidden, failure to
comply is clear – the Representative should
be clearly identified to allow contact
● Real potential for fines – e.g. WhatsApp (up
to €1m)
42. 42
YOUR OBLIGATIONS
PROCESSING
AGREEMENTS
Where the data controller appoints a data
processor, there must be a contract which sets
out:
● Subject-matter, duration, nature and
purpose of the processing
● That the processor will only process on
the instructions of the controller
● Any non-EU countries where the personal
data will be processed
● And more…
43. 43
YOUR OBLIGATIONS
PROCESSING
AGREEMENTS
Where the data processor appoints a sub-
processor, an equivalent contract must be put
in place between the processor and sub-
processor
● It is likely these contracts will end up
being in place between two US-based
companies, where one subcontracts
processing work to the other
44. 44
YOUR OBLIGATIONS
INTERNATIONAL
TRANSFER
● When transferring data across
international borders, there must be
adequate protections in place.
● Some countries have been granted
‘equivalent’ status, confirming a level of
legal protection of personal data
equivalent to that in the EU
● Equivalent countries include Argentina,
Israel, New Zealand, Canada
(commercial organisations only)
45. 45
YOUR OBLIGATIONS
INTERNATIONAL
TRANSFER
● For US-EU transfers, the Privacy
Shield has replaced the Safe Harbor
agreement post-Snowden
● The Privacy Shield is open to
criticism under GDPR if the US can’t
give sufficient reassurances about
government interception of data
● Organisations who wish to benefit
from Privacy Shield must self-certify
to the Department of Commerce
46. 46
YOUR OBLIGATIONS
PRIVACY
NOTICE
Where personal data is collected, the
data subject should be informed:
● the identity of the data controller and Data
Protection Officer (if applicable) and how to
contact them;
● why and where the data processing is being
undertaken (including safeguards if being sent
outside the EEA);
● how long the data will be kept; and
● the data subject’s right to object to the
processing
47. 47
YOUR OBLIGATIONS
SUBJECT
ACCESS
REQUEST
A data subject (the individual) can issue a
request to an organisation which is a data
controller of their personal data to
request (among other things):
● Details of the personal data they hold
● Correction of the personal data
● Erasure of the personal data (the “right to
be forgotten”)
49. 49
YOUR OBLIGATIONS
DATA BREACH
NOTIFICATIONS
Where there has been a breach of
personal data which could impact the
rights and freedoms of the individual,
the data controller must inform the
relevant EU national data protection
authorities within 72 hours of
becoming aware
50. 50
YOUR OBLIGATIONS
DATA BREACH
NOTIFICATIONS
● If a high risk to the data subject,
they must also be informed
directly
● The processor is obliged to
inform the data controller
“without undue delay”
51. 51
YOUR OBLIGATIONS
DATA
PROCESSING
RECORD
● An organisation must keep records
of its processing activities for
inspection
● Should include
○ What processing is undertaken
○ On what data
○ For what purpose
○ How are the rights and
freedoms of individuals are
protected
52. 52
YOUR OBLIGATIONS
DATA
PROCESSING
RECORD
● An organisation must undertake an
assessment of the impact on
individuals’ rights when undertaking
new processing activities, particularly
using new technology
● Should include:
○ What processing is undertaken, on
what data, for what purpose how
are the rights and freedoms of
individuals are protected
53. WHAT TO DO
What you can do to demonstrate data protection
compliance
53
54. 54
MAKING COMPLIANCE EASY
We’ve created a GDPR (& Data
Protection) Compliance framework
to help Data Controllers and Data
Processors become compliant.
Here’s a summary of what to do...
GDPR & Data
Protection Hub
55. 55
UNDERSTAND YOUR RISK
▹ Evaluate your user, customer
and employee data.
▹ Is there any data from within the
EU
▹ If the answer is yes (even 1
person)
▹ You are required to comply with
the regulation
Look in your CRM, mailing lists and
web analytics for EU data.
Non-compliant
56. 56
APPOINT A YOUR
DATA TEAM
● Appoint A DPO
● Appoint an EU Representative
● Appoint Data Protection
Champions
Place your screenshot here
57. 57 COMPLIANCE GAP
ANALYSIS
● Controller and Processor
● Compliance evaluation
● Against 4 criteria
○ Transparency & Lawfulness
○ Individual Rights
○ Accountability &
Governance
○ Security, international
transfers and breaches
58. 58
KNOW YOUR DATA
● Know every data flow within your
business
● Identify where the data is
● Identify where the data goes
● Identify who has access
● How long you need it for
● If it is a risk
● If it is being transferred outside
the EU
60. 60
PROCESS FOR DATA
EVENTS (REQUESTS)
● Ensure your staff and customers
have a method to make a subject
access request
● Make sure you have a process to
handle the request
61. 61
ASSETS & PROCESS
● Get your assets together
● Get your processes together
● Communicate them
● Add a privacy notice to your site
62. 62
TRAIN YOUR TEAM
● Training is not a tick box exercise
● Train your staff on personal data
protection
● Train your leaders on personal
data protection
● Personal data protection as a
concept
● Personal data protection as a
culture
63. 63
PAUL HEWETT
Commercial Director
In Marketing We Trust
paul@imwt.com.au
twitter.com/pmhewett
linkedin.com/in/pmhewett
TIM BELL
Managing Director
DPR Group
timbell@dpr.eu.com
www.dpr.eu.com
linkedin.com/in/timjbell1
Hinweis der Redaktion
Frame the conference:
As marketers we love data…
The pros of data
But there are some cons...
SET THE SCENE
The volume of data is growing exponentially
By 2020, the total amount of data is set to exceed 50 ZettaBytes.
For context: equivalent to an audio recording of every word spoken by every human
We are moving from storage and processing of structured data: text
To unstructured data: images, audio, video
Much of this data is personal to us as consumers:
It our our videos, photographs and personal metadata such as IP, behavioural data
All of our digital interactions leave a trail of this PI metadata
For the past half decade there has been growing concern about how this data is collected, processed and used
This has resulted in the GDPR
We are moving into a new era of data collection
We are moving from collection of structured schema data to unstructured (using AI) and biometric data
This technology is being introduced to our daily lives, beyond our iphones
Biometrics at airports
Smile to pay introduced by Alibaba CEO Jack Ma in 2015
The first commercial application of Smile to Pay in a a single KFC in China
Alibaba is at the forefront of this technology and the commercial applications and opportunities are incredible
For instance, as a hotel or a cruise liner you could track your guests around a property or a ship to gain intelligence on preferences
Which restaurant or bar do they occupy most, do they use the spa or the gym, do they access the smoking area.
Where is this data stored?
https://www.theverge.com/2017/9/4/16251304/kfc-china-alipay-ant-financial-smile-to-pay
Expedia Media Solutions have been experimenting with eye tracking software for a number of years
Example: the Palace Resorts campaign uses your eye gaze to choose the ideal holiday for you
For this to work your webcam has to be activated
The software focuses on your face to determine your features
Your eye movement is recorded
What data is collected? Eye (used for high-value biometric identification)? Face? Smile (which can be used for low value transaction)?
Where is it stored?
Who has access?
How long is it stored for?
These are the questions brand and technology providers must answer up front.
https://blog.advertising.expedia.com/palace-resorts-uses-eye-tracking-in-new-marketing-campaign
https://martechtoday.com/expedia-now-lets-pick-hawaii-travel-packages-smile-191359
While the use of personal data can be positive, there are some emerging downsides to sharing personal data so publically.
In China, Police are using mass facial recognition surveillance to monitor citizens
In a number of Cities in China jaywalkers are under surveillance
Their face is scanned and 15 seconds of their error is recorded
The images and video are posted on social media and large screens to shame them
And the personal data is stored to a police database
https://mashable.com/2017/06/21/china-facial-recognition-jaywalkers-shaming/#92NOFsFYLqq7
Introduce the concept of GDPG
What is GDPR
GDPR is Global
Fines Are significant
Getting it right is good for business
Whether you’re targeting or selling to EU customers you’re part of a global industry.
As a result, travel companies are at higher risk than other websites with ccTLDs.
For example:
If you take a hotel, car rental or theme park in Singapore as an example, this product is of interest to global customers.
Therefore, they are likely to attract EU user to their website
If the website is not set up for GDPR compliance - there is a risk of fines
Travel is a unique category
If you have a travel product based outside the EU, travellers from within the EU may be looking for your .AU or .SG website
Looking at our customers website we are seeing that country specific domain are getting users from within the EU
Users are people and their data is covered
This is an issue which is prevalent within travel
If you take a look at your standard website through an EU lens.
Cookies have the potential to capture personal data which is covered under the GDPR
IP address is classed as personal data
When a visitor uses your website, 4 typs of cookies are typically served:
Analytics: web analytics such as Google, Adobe
Anonymous: other anonymous cookies
Personalisation: storing useful information that will make your experience better
Advertising: DoubleClick, Remarketing, IP Forensics
Beyond this we move to more transparent types of data capture; forms, progressive profiling, transaction data
Consent is required from UK website users to activate cookies which track user behaviour.
A small word of warning about Analytics cookies.
We have them listed as low risk, anonymised data
Most of the web analytics accounts we see have PII info in them
This is bad for two reasons:
It’s a breach of the GDPR
It’s a breach of Google Terms of use
If Google catches you - your account will be terminated and your data destroyed
What you need to know as a non-EU company
THere are three parties
Personal data – data which can identify an individual, including IP addresses, work contact details, biometric data, most cookies
Data subject – the person who could be identified by the personal data
Data controller – the organisation which determines how the personal data is processed
Data processor – an organisation which processes personal data on behalf of the data controller
Processing – any operation performed on personal data, including collecting, storing
The controller can collect and process the data only with a lawful basis, which is assumed as consent.
Under these circumstances, the data is owned by the data subject
The data subject can access their data free of charge
As the controller you’re responsible for the proper processing of the data
The data subject is a natural person => human.
Until this week Wikipedia stated the data subject was any citizen or individual in the EU
We’ve debated this one at length
The scope of the GDPR cover individuals in the EU. This mean;
EU and Non-EU citizens in the EU, but not EU citizens outside the EU
There is a lot of conflicting information online about this