For those of you that are new to compliance with European laws, GDPR stands for General Data Protection Regulation. It’s a set of laws that have been put in place in the European Union on April 14th 2016 and are set to be enforced on May 25th, 2018.
A few days ago, a sharply dressed gentlemen walked into the office here at Blue Star. He was asking about GDPR and how it related to his travel agency.
Before you read on…watch our GDPR webinar recording.
Now, for those of you that are new to compliance with European laws, GDPR stands for General Data Protection Regulation. It’s a set of laws that have been put in place in the European Union on April 14th 2016 and are set to be enforced on May 25th, 2018.
Our visitor’s question was, “We are a travel agency that manages a lot of corporate travel. Our corporate accounts are headquartered in the U.S., but some have a few employees in Europe. How does GDPR affect us?”
Because the Blue Star staff has been getting our clients ready for the GDPR enforcement date since the enactment of the legislation back in 2016, it wasn’t difficult to get this business leader up to speed on what he and his travel agency business needed to do to become compliant.
The first thing we made clear to Dave Tragec – by this time we had learned his name – is that we aren’t lawyers. The Blue Star team handles the data security side of the GDPR compliance equation for our clients. Fortunately for Dave, the Blue Star team also supports a few law firms that have in-depth knowledge of the GDPR legislation. We gave him a few business cards of people we knew could help him with any nuanced legal questions he might have, and then began to get him up to speed on the basics of data protection.
First, let’s look at how they appear in the legislation. The GDPR states: (quotation from legislation)
Personal data shall be:
The Six Principles Of Data Protection Set Out By The GDPR Make The Following Demands Of Indiana And Michigan Travel Agencies
Before we get into explaining what each principle means for your travel agency, we should make note that the GDPR impacts ONLY the information (data) gathered from people within the EU. (The United Kingdom is enacting similar legislation so data gathered from the UK should be treated in the same manner as EU-sourced data)
The simplest thing for a USA based company to do is to segment its data collection, management, and processing into EU and NOT EU “buckets.” The EU data “bucket” is subject to the following GDPR principles.
Note: NONE of your current data is grandfathered under GDPR. To use data gathered from EU-based individuals for ANY purpose other than what the owner of the data gave consent is not allowed. You must contact the individual and gain their consent for any additional “processing” (use) of their data.
Principle #1 – “lawfully, fairly and in a transparent manner”
Principle #1 requires your travel agency to be up-front with EU residents about what they are “signing up for” when they give you their data and puts the responsibility of the fair and lawful use of their data on the company that is collecting that data.
Principle #2 – “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes”
Principle #2 makes it clear that a travel agency such as yours can only use the data collected in a way that is consistent with the specific consent given by the owner of that information.
Principle #3 – “adequate, relevant and limited to what is necessary in relation to the purposes”
Principle #3 demands that companies here in Indiana and Michigan that do business with EU residents cannot collect more data than what is absolutely necessary to accomplish the “purpose” for which the individual is giving the data to the company.
Principle #4 – “accurate and, where necessary, kept up to date”
Principle #4 requires that companies ensure that they keep accurate records of data collected.
Principle #5 – “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes”
Principle #5 concerns itself with how long data is kept. Data that does not identify the person it came from (such as a blind survey) is okay to be kept without limit, but data that can be traced back to a specific individual must be deleted once the “purpose” (usually a transaction or subscription of some sort) for which the owner of the information gave consent is accomplished.
Principle #6 – “processed in a manner that ensures appropriate security of the personal data”
Principle #6 requires that travel agencies that do business with anyone living in the EU have data security protocols in place that ensure the protection of that data. Any breaches of the data sourced from EU individuals that is compromised by hackers, internal IT theft, or industrial espionage can leave the company that collected that data subject to penalties and stiff fines under the GDPR.
Looking for more informative and helpful articles by Blue Star? We have them for you HERE.Published on 18th May 2018 by Jon Morningstar
Looking to implement a new line of business applications or replace an old server? With our approach to IT project delivery, we help prevent scope creep and keep budgets in line with budgeted project costs.