The General Data Protection Regulation (GDPR) is a new European requirement that comes into effect on May 25, 2018. It’s a tightening up on data privacy.

Australian businesses should determine whether they need to comply with the GDPR and if so, take the necessary steps now to ensure their personal data handling practices comply before commencement.

The measures effectively harmonise data privacy laws across Europe. In the words of the EU, they aim “to protect and empower all EU citizens’ data privacy and to reshape the way organisations across the region approach data privacy”.

Advice for Australian businesses

The Office of the Australian Information Commissioner has gone to some lengths to warn Australian businesses of the need to comply with the GDPR if they fall under its new broader regulations.

Those who fall under the regulations include:

• an Australian business with an office in the EU
• an Australian business whose website targets EU customers, for example, by enabling them to order goods or services in a European language (other than English) or enabling payment in euros
• an Australian business whose website mentions customers or users in the EU
• an Australian business that tracks individuals in the EU on the internet and uses data processing techniques to profile individuals to analyse and predict personal preferences, behaviours and attitudes.

The GDPR applies to personal data routinely found in travel programmes like HR records and contact details. However, there’s now a far broader definition of personal data, including mobile app user information, credit card numbers, transaction data, etc.

Luckily, there is quite a significant overlap between the new EU requirements and the existing Australian Privacy legislation, so if you comply at home, you should largely be okay in Europe.

While there has been no official advice for travel managers, multinationals with operations in Europe will clearly fall under the legislation. And travel managers responsible for European travellers will almost certainly have to ensure that data, such as traveller profiles, meets the privacy requirements.

If you manage European travellers remotely, you may also need to appoint a representative established in an EU member state as the point of contact for supervisory authorities and individuals in the EU.

Travel-specific implications

The GDPR covers the whole chain, from booking to billing – and you may have several EU-based organisations involved in the travel process. You probably have European airlines and hotels among your preferred partners. Maybe less obvious are some of the technology providers like Amadeus or the payment solutions like AirPlus, which have their headquarters in Europe. These organisations may store and process some of your data in Europe and if you haven’t already heard from them, it’s worth checking what measures they have in place.

For most Australian travel managers, it should be business as usual from May 25, but with very large fines threatened for transgressions, it’s worth making sure that you and your suppliers are GDPR-ready.

If you have any questions about how the GDPR might affect your travel programme, please contact us.