GDPR for Travel Companies: What You Need to Know and Do. When Paul Hewett, Commercial Director of In Marketing We Trust met Tim Bell, Managing Director of DPR Group (Data Protection Representatives Group) at SXSW earlier this year, IMWT partnered with DPR to bring you this webinar on GDPR for Travel Companies + a FREE GDPR framework to help you comply. These slides cover: *GDPR for Travel Companies: Explained Simply *"Global" GDPR *Why Travel Companies Need to Pay Close Attention *GDPR Compliance Obligations for Travel Companies *GDPR: How to Comply *Plus much more Get more information and download your FREE GDPR Framework: https://www.inmarketingwetrust.com.au/gdpr-travel-companies-free-gdpr-framework

1. THE GLOBAL IMPACT OF
GDPR FOR TRAVEL
WHAT YOU NEED TO KNOW AND DO

2. CO-
HOSTING
TODAY
PAUL HEWETT
Commercial Director
In Marketing We Trust
“...we help travel brands get more
customer and make more sales!”
TIM BELL
Managing Director
DPR Group
“...we represent our non-EU clients in
Europe”
A marketer and
lawyer walk into a
bar in Texas...

3. DISCLAIMER
This session will provide general comments on the obligations
under GDPR and some actions which can be taken to move towards
compliance.
It is not intended to be a comprehensive description of GDPR, and
is not a substitute for full legal advice, which should be sought
before drawing any conclusions on your particular circumstances.
3

4. WHAT WE’LL COVER TODAY
1. WHY GDPR MATTERS TO NON-EU COMPANIES
2. WHY GDPR MATTERS FOR TRAVEL COMPANIES
BUT FIRST...
4

5. PERSONAL DATA
Personal data is becoming more, well, personal!
5
DATA

6. 6
PERSONAL DATA IS
GROWING
Each day we leave a
trail of personal data
across the web which is
being and collected by
companies.
...And the volume of personal
data just keeps growing

7. 7

8. 8

9. 9
DAT
AWHEN PERSONAL DATA GOES BAD

10. 10

11. 11 ● 2011 Max Schrems brings action against
Facebook in Ireland for breach of privacy laws –
Facebook disables facial recognition software
● 2013 Following Snowden revelations, Schrems
brings further action, resulting in collapse of US-
EU ‘Safe Harbour’ for data transfers
● 2018 Belgian data protection authority requires
Facebook to stop tracking non-Facebook users
and delete data collected unlawfully using
cookies (fined $311,000 per day for non-
compliance)

12. 12
● 2016 WhatsApp lose case in Holland
for not appointing a local Data
Protection Representative – €1m fine
● 2017 French data protection
authority demands WhatsApp stop
sharing data with (owner) Facebook

13. 13
● 2016 UBER suffers massive data
breach, losing the personal data of
around 57,000,000 drivers and
passengers
● 2017 UBER admit to data breach,
and paying off the hackers

14. INTRODUCING ‘GLOBAL’-GDPR
What is the GDPR and why you NEED to know
about it.
14

15. ▹ EU law on data protection and privacy
▹ All individuals within the EU
▹ Gives individuals within the EU control of
their personal data
▹ Replaces the 1995 data Protection Directive
▹ Adopted into law 27-April-2016
▹ Becomes enforceable 25-May-2018
15
WHAT IS THE GDPR

16. GDPR is directly enforceable
against Australian, Asian,
American and all non-EU
companies.
16
WHY GDPR MATTERS TO YOU

17. ▹ Increased ‘Territorial Scope’
▹ Article 3(2)
▹ Any organisation which collects and/or
processes the data of EU data subjects is
required to meet the obligations of the
GDPR
▹ Regardless of their location
17
GDPR IS GLOBAL

18. 18
PENALTIES
The risk for your organisation is
significant.
▹ Large non-compliance fines
▹ Globally enforceable
▹ From 25-May-2018
€20,000,000
4% GLOBAL REVENUE

19. 19
PENALTY
POTENTIAL
$4.4 billion
$2 billion
$2 billion

20. 20
GLOBAL ENFORCEABILITY
PAUL
Authorities intend to enforce
globally.
It’s not in the EU’s interest to allow
non-EU organisations breach data
protection laws.

21. 21
GDPR IS AN OPPORTUNITY
Consumers are becoming more
data savvy by the day, getting
data privacy is a good business
decision.
▹ Tell your customers why you need their data
▹ Tell them what you’re doing with their data
▹ Tell them what you

22. 22
GDPR IS AN OPPORTUNITY
1. Ask your customers for
consent to use their data.
2. Tell your customers what
you’ll do with the data.
3. Tell your customers how
you’ll protect their data.
BE
TRANS -
PARENT.
TELL YOUR
CUSTOMERS WHAT
YOU’RE DOING AND
WHY.

23. TRAVEL WEBSITES SHOULD PAY
CLOSE ATTENTION
Most travel businesses are global. Weather
they like it or not!
23

24. 24
Hotel.sg
Theme
Park.sg
Car
Rental.sg
Germany
United
Kingdom
Australia
USA
Travel websites are
more at risk than most
other ccTDL websites
because they attract
non-domestic
customers.
TRAVEL IS A GLOBAL
MARKET

25. If you’re like other online
travel companies, it’s
likely you’re capturing
data from EU users
already…
Even if you have country code top-level
domains.
25
HIDDEN EU
CUSTOMERS

26. You may be capturing
personalised data the
minute your web tags
start firing.
Some of this is personal data.
26
HERE’S HOW
IT WORKS
Analytics
Anonymous
Personalisation
Advertising
Sign Ups
Web Forms
Progressive Profiling
Transaction

27. You may even be
capturing high-risk PII
data in your web
analytics.
▹ Data Protection Breach
▹ Against Google Terms
27 PII DATA

28. WHAT YOU NEED TO KNOW
What you need to know about GDPR as a non-EU
company.
28

29. 29
GDPR - CONCEPTS
DATA SUBJECT
The data subject is the owner of
the data and owns the rights to
their data.
CONTROLLER/PROCESSOR
Collectors and processors are
granted permission to your data by
the data subject.

30. PERSON
(SUBJECT)
CONTROLLER
PROCESSOR
SUB
PROCESSOR
Data Owned
Data
“Borrowed” for
purpose of
use.
PersonalDataBreach
30
KEY CONCEPT
The data subject owns their personal
data.
As a data controller or processor, you may
collect and use the data with the strict
permission of the data subject (some
exclusions within Article 6).
In most cases, the data subject has the
right to access and restricted use of their
personal data.

31. 31
WHAT IS A DATA SUBJECT
“Data subject” is a human.
‘personal data’ means any information relating to an
identified or identifiable natural person (‘data
subject’); an identifiable natural person is one who can
be identified, directly or indirectly, in particular by
reference to an identifier such as a name, an
identification number, location data, an online
identifier or to one or more factors specific to the
physical, physiological, genetic, mental, economic,
cultural or social identity of that natural person.

32. 32
DATA SUBJECT RIGHTS
1. The right of access
2. The right to rectification
3. The right to right to erasure
4. The right to restrict processing
5. The right to be informed
6. The right to data portability
7. The right to objective
8. Automated decision making
8
DATA
SUBJECT
RIGHTS

33. 33
PRINCIPLES
▹ Lawfulness, fairness and transparency
▹ Purpose Limitation: specified, explicit and legitimate purpose
▹ Data Minimization: adequate, relevant and limited to purpose
▹ Accuracy: accurate and up-to-date
▹ Storage Limitation: no longer than is necessary for the purpose
▹ Integrity and confidentiality: appropriate security
▹ Accountability: be responsible and demonstrate compliance

34. 34
YOUR OBLIGATIONS
● More ‘state of mind’ than law
● Requires organisations to have
data protection ingrained in their
culture
PRIVACY BY
DESIGN &
DEFAULT

35. 35
YOUR OBLIGATIONS
LAWFUL BASIS
FOR
PROCESSING
You must have a lawful basis for
collecting and processing data.
● Typically, assumed to be consent
● Freely given, specific, informed and
unambiguous
● Clear affirmative action (pre-ticked
box not adequate)

36. 36
YOUR OBLIGATIONS
LAWFUL BASIS
FOR
PROCESSING
BUT there are other justifications for
processing personal data, including:
○ Contractual Obligation
○ Legal Obligation
○ Vital Interest to individual
○ Public interest
○ Legitimate Interest

37. 37
YOUR OBLIGATIONS
DATA
PROTECTION
OFFICER
Organisation that must appoint a
Data Protection Officer
● It is a public authority,
● Its core activities involve “regular and
systematic monitoring of data
subjects on a large scale”, or
● Its core activities involve processing
of ‘sensitive’ data on a large scale

38. 38
YOUR OBLIGATIONS
DATA
PROTECTION
OFFICER
● Required to manage and oversee
data protection program
● Can be outsource - with care
● Internal appointment -
recommended

39. 39
YOUR OBLIGATIONS
EU DATA
PROTECTION
REPRESENTATIVE
An organisation must appoint a Representative
where:
● It processes the data of individuals in the
EU
● It is not established in the EU
● (Exclusions for public sector, “occasional”
processing)

40. 40
YOUR OBLIGATIONS
EU DATA
PROTECTION
REPRESENTATIVE
● Purpose: allows EU-based persons and
authorities to contact the processor
● Why hidden?
○ Most material on GDPR comes from
the EU
○ This obligation does not apply to EU-
based organisations

41. 41
YOUR OBLIGATIONS
EU DATA
PROTECTION
REPRESENTATIVE
European irony at its best
● Although the obligation is hidden, failure to
comply is clear – the Representative should
be clearly identified to allow contact
● Real potential for fines – e.g. WhatsApp (up
to €1m)

42. 42
YOUR OBLIGATIONS
PROCESSING
AGREEMENTS
Where the data controller appoints a data
processor, there must be a contract which sets
out:
● Subject-matter, duration, nature and
purpose of the processing
● That the processor will only process on
the instructions of the controller
● Any non-EU countries where the personal
data will be processed
● And more…

43. 43
YOUR OBLIGATIONS
PROCESSING
AGREEMENTS
Where the data processor appoints a sub-
processor, an equivalent contract must be put
in place between the processor and sub-
processor
● It is likely these contracts will end up
being in place between two US-based
companies, where one subcontracts
processing work to the other

44. 44
YOUR OBLIGATIONS
INTERNATIONAL
TRANSFER
● When transferring data across
international borders, there must be
adequate protections in place.
● Some countries have been granted
‘equivalent’ status, confirming a level of
legal protection of personal data
equivalent to that in the EU
● Equivalent countries include Argentina,
Israel, New Zealand, Canada
(commercial organisations only)

45. 45
YOUR OBLIGATIONS
INTERNATIONAL
TRANSFER
● For US-EU transfers, the Privacy
Shield has replaced the Safe Harbor
agreement post-Snowden
● The Privacy Shield is open to
criticism under GDPR if the US can’t
give sufficient reassurances about
government interception of data
● Organisations who wish to benefit
from Privacy Shield must self-certify
to the Department of Commerce

46. 46
YOUR OBLIGATIONS
PRIVACY
NOTICE
Where personal data is collected, the
data subject should be informed:
● the identity of the data controller and Data
Protection Officer (if applicable) and how to
contact them;
● why and where the data processing is being
undertaken (including safeguards if being sent
outside the EEA);
● how long the data will be kept; and
● the data subject’s right to object to the
processing

47. 47
YOUR OBLIGATIONS
SUBJECT
ACCESS
REQUEST
A data subject (the individual) can issue a
request to an organisation which is a data
controller of their personal data to
request (among other things):
● Details of the personal data they hold
● Correction of the personal data
● Erasure of the personal data (the “right to
be forgotten”)

48. 48
YOUR OBLIGATIONS
SUBJECT
ACCESS
REQUEST
1. Must respond within one month
2. Cannot charge for response
3. BUT can refuse excessive requests

49. 49
YOUR OBLIGATIONS
DATA BREACH
NOTIFICATIONS
Where there has been a breach of
personal data which could impact the
rights and freedoms of the individual,
the data controller must inform the
relevant EU national data protection
authorities within 72 hours of
becoming aware

50. 50
YOUR OBLIGATIONS
DATA BREACH
NOTIFICATIONS
● If a high risk to the data subject,
they must also be informed
directly
● The processor is obliged to
inform the data controller
“without undue delay”

51. 51
YOUR OBLIGATIONS
DATA
PROCESSING
RECORD
● An organisation must keep records
of its processing activities for
inspection
● Should include
○ What processing is undertaken
○ On what data
○ For what purpose
○ How are the rights and
freedoms of individuals are
protected

52. 52
YOUR OBLIGATIONS
DATA
PROCESSING
RECORD
● An organisation must undertake an
assessment of the impact on
individuals’ rights when undertaking
new processing activities, particularly
using new technology
● Should include:
○ What processing is undertaken, on
what data, for what purpose how
are the rights and freedoms of
individuals are protected

53. WHAT TO DO
What you can do to demonstrate data protection
compliance
53

54. 54
MAKING COMPLIANCE EASY
We’ve created a GDPR (& Data
Protection) Compliance framework
to help Data Controllers and Data
Processors become compliant.
Here’s a summary of what to do...
GDPR & Data
Protection Hub

55. 55
UNDERSTAND YOUR RISK
▹ Evaluate your user, customer
and employee data.
▹ Is there any data from within the
EU
▹ If the answer is yes (even 1
person)
▹ You are required to comply with
the regulation
Look in your CRM, mailing lists and
web analytics for EU data.
Non-compliant

56. 56
APPOINT A YOUR
DATA TEAM
● Appoint A DPO
● Appoint an EU Representative
● Appoint Data Protection
Champions
Place your screenshot here

57. 57 COMPLIANCE GAP
ANALYSIS
● Controller and Processor
● Compliance evaluation
● Against 4 criteria
○ Transparency & Lawfulness
○ Individual Rights
○ Accountability &
Governance
○ Security, international
transfers and breaches

58. 58
KNOW YOUR DATA
● Know every data flow within your
business
● Identify where the data is
● Identify where the data goes
● Identify who has access
● How long you need it for
● If it is a risk
● If it is being transferred outside
the EU

59. 59
DOCUMENT
PROCESSORS
● Identify all your processors and
sub-processors
● Ensure they are compliant
● As a controller it’s your
responsibility

60. 60
PROCESS FOR DATA
EVENTS (REQUESTS)
● Ensure your staff and customers
have a method to make a subject
access request
● Make sure you have a process to
handle the request

61. 61
ASSETS & PROCESS
● Get your assets together
● Get your processes together
● Communicate them
● Add a privacy notice to your site

62. 62
TRAIN YOUR TEAM
● Training is not a tick box exercise
● Train your staff on personal data
protection
● Train your leaders on personal
data protection
● Personal data protection as a
concept
● Personal data protection as a
culture

63. 63
PAUL HEWETT
Commercial Director
In Marketing We Trust
paul@imwt.com.au
twitter.com/pmhewett
linkedin.com/in/pmhewett
TIM BELL
Managing Director
DPR Group
timbell@dpr.eu.com
www.dpr.eu.com
linkedin.com/in/timjbell1