GDPR: TMCs must give responsibility for profile data to their corporate customers!
Stefan Latz is Chief Consultant and Data Protection Officer in Cyber & Information Security at TÜV Hessen in Darmstadt, Germany. His work includes intensively dealing with the effects of GDPR on the business travel sector.
What risks do companies and travel agencies take if they keep personal data without a legal basis – for example, data of employees who have left the company?
That’s easy: if there is no purpose and no legal basis for processing of personal data (=data waste), it must be deleted. Anyone who doesn’t is acting deliberately. Then it is only a question of the amount of the fine they’ll receive.
Who is actually held liable in this case? The travel agency/TMC or the business client?
The company is responsible for making sure the TMC has an up-to-date list of travellers! There are plenty of easy technical possibilities to make this happen – with Umbrella, for instance. TMCs must simply coordinate things with their clients. The longer a company delays, the bigger the offence because the wilful intent increases. Because profile data often includes sensitive information, the authorities have to get involved and issue a fine.
So you think travel agencies/TMCs should absolutely not take responsibility for profile data?
But we both know that only few companies keep their TMC partners up to date with traveller lists. Why is that?
For one thing, only a few companies have an idea of how far personal data is transferred as soon as it is delivered to a TMC. On the other hand, despite the clear rules, legal action is still relatively rare. But that doesn’t change the fact that many companies are taking a considerable financial risk here – one that actually doesn’t need to be taken because there are easy ways to avoid it!
So what are these easy ways?
Employee onboarding and offboarding must be managed using a company-wide, cross-system digital workflow. Usually there is a leading system such as Active Directory for this. Let’s stay in the travel sector: a connection between the Active Directory or HR system (such as SAP, Workday or bamboo) and the travel agency’s profile management system guarantees that the TMC always has a correct, up-to-date list of travellers. Problem solved!
A feasible, practical alternative, especially for smaller companies, would be for the TMC to give the company direct access to the profile system. This means that the list of travellers can be kept up to date by the corporate customer, at least manually.
And finally, a more personal question: what was your most impressive travel experience so far?
That was a business trip to South Korea, doing an audit of three of the country’s power plants! That was in 2013 and it was astonishing how advanced mobile technology was there at the time. One weekend, we went to Mudeungsan National Park north of Gwangju and were amazed that really every Korean was making video calls.