GDPR - Compliance & Penalties
Legislative changes in the European Union that have been put into effect last year that will have ramifications across all sectors of global industry. These changes will particularly impact business and leisure travelers. As such, the corporate business travel arrangement sector needs to pay special attention to new regulations that could bring significant penalties if compliance is not met.
The new set of regulations is called the GDPR – the European Union’s General Data Protection Regulation. In short, GDPR is an update to the EU’s previous data and privacy protection laws. It’s designed to improve the protection of European citizens against privacy and data breaches in today’s Internet-based economy. For that reason, GDPR is a good thing. But the new regulation’s inherent penalties and fines for non-compliance are definitely topics that businesses around the world should understand.
GDPR doesn’t just apply to countries and businesses in the European Union. It applies to all companies that process the personal data of people who reside in the EU, regardless of where that company is located. The new regulations pertain to companies offering goods or services to EU citizens (whether payment is required or not) and the monitoring of behavior that takes place within the EU. Non-EU businesses processing the data of EU citizens must appoint a representative in the EU.
All types of businesses across the globe must be aware of and follow the GDPR’s guidelines for personal data protection, and the travel industry in particular comes to the top of that list. The ramifications are significant for companies that coordinate business travel for their employees—as penalties for non-compliance can have a direct, bottom line impact on the budgets of those companies’ travel arrangement departments.
What it all comes down to is having travel coordinators obtain prior consent from travelers – employees traveling on business or anyone traveling for pleasure – to process the travelers’ personal data. This means credit card information, personal details like date of birth or place of residence, and Personally Identifiable Information (PII) such as U.S. Social Security numbers. Again, GDPR is good for everyone because it better protects against personal data infringement, but companies simply need to be cognizant of the penalties for not complying with the new rules. As the old saying goes, ignorance of a law is not a legal defense. To use an old analogy, if you tell a police officer that you didn’t know what the speed limit was, that doesn’t mean you won’t still get a ticket for driving too fast.
So, what are the penalties? Organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater). This is the maximum fine that can be imposed for the most serious infringements – basically, not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines. A company can be fined 2% for not having their records in order (Article 28 of the legislation), not notifying the supervising authority and data subject about a breach, or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors – meaning transactions conducted in cloud computing environments are not exempt from GDPR enforcement.
To learn more about GDPR’s regulations and non-compliance penalties, visit www.eugdpr.org. There, you’ll learn more about the new rule structure, changes from previous regulations about private, personal data usage, and how it can affect your department, your company and your day-to-day way of doing business in the corporate travel accommodation world.