Data protection key

The implementation of strict new data protection laws in the European Union later this month is likely to have global impacts, with businesses in Australia being warned of the implications and urged to prepare for the changes. The new General Data Protection Regulation (GDPR) comes into force on 25 May and represents a “once-in-a-generation tightening of privacy and data protection rules,” according to Sasha Kalb, vice president of compliance in Asia Pacific for American Express Global Business Travel.

Speaking to travelBulletin in Sydney last month, Kalb said the aim of GDPR is to ensure that businesses are transparent about how they handle individuals’ information — and the fines are massive for non-compliance. The rules apply to businesses of any size conducting any sort of transactions with customers or suppliers in the EU.

“Under GDPR it’s essential for businesses to have confidence that other firms to which they transfer personal data also meet global protection regulations,” Kalb said, noting such details would include names and passport numbers involved with day-to-day travel bookings.

She said to deal with GDPR, businesses need to undertake a range of steps including maintaining a written report with details of all their data processing activities. They must ensure they are effectively and transparently communicating what happens to customer data, including having a “complete and compliant privacy notice” and ensuring that they have confidence in businesses to which they transfer personal data. Another key regulation mandates notification of any data breaches within 72 hours of their occurrence.

Kalb noted that Amex GBT’s legacy as part of a financial services company has placed it in a good position to meet the accountability requirements for GDPR, having since 2015 created, conducted and improved its Privacy Risk Management Programme which operates seamlessly with its other operations to ensure full accountability.