Unlocking travel security, part 2: The looming GDPR deadline

Equifax, Yahoo, Ebay – all major brands that have been the targets of cyber criminals, with millions of customers impacted in each case.

Those attacks have been so large as to attract worldwide attention, but smaller attacks happen every day and across every sector.

And as customer data is compromised, brand reputation and revenue can also take a hit.

In travel, several big players have been affected, with companies such as Orbitz, Sabre, IHG, Delta and Hyatt all announcing breaches in the last year.

With billions of dollars in transactions and billions of pieces of personally identifiable information passing through travel companies’ digital systems every year, cybersecurity is a critical issue for the industry.

Brands rely on data to create personalized, seamless experiences for customers – but at the same time, consumers are growing ever more weary about sharing their personal information.

Now regulations are being put in place that give consumers more control over their data while putting more responsibility on the organizations that gather and store it.

The most far-reaching regulation to date is the General Data Protection Regulation (GDPR) regarding the protection and privacy of data about citizens of the European Union.

For part two of our series on privacy and security, we talk to Travelport chief architect Mike Croucher regarding the benefits and challenges of GDPR for the travel industry.

Background

The European Parliament approved GDPR in 2016 and gave companies two years to prepare their systems and policies for compliance. Starting May 25, the regulation goes into effect, governing how companies gather, store, share and destroy personal data - such as their names, email address and mobile device IDs - on residents of the EU, regardless of where that company is located.

Non-compliance can result in steep fines: a maximum of 4% of annual revenue or 20 million Euros, whichever is greater.

The regulation impacts a broad range of industries, and certainly travel is one of the most affected.

Eurostat, the statistical office of the European Union, estimates nearly two-thirds (62.1%) of the EU’s population took part in tourism in 2016, making 1.2 billion trips.

Consider that there may be multiple data collection points across a single trip – from air and hotel bookings to ground transportation and activities – and it becomes clear that GDPR has the potential to touch every sector of travel in every corner of the world.

The regulation

GDPR outlines responsibilities for data controllers - those entities that determine the means of processing personal data - and data processors which process the data on behalf of the controller.

In general, the controllers have direct contact with the data subject and are responsible for collecting consent and managing consent revocation.

As a travel commerce platform providing distribution, technology, payment and other solutions for the industry, Travelport is a data processor. Every day 100TB of data are processed through Travelport’s more than 20,000 physical and virtual servers. It handles one trillion transactions annually. 

For about the past year, Travelport has been actively developing its GDPR compliance program, ensuring systems and policies are in place, creating staff training and appointing a data protection officer as required by the regulation for companies that “engage in large-scale processing of sensitive personal data.”

But the company’s chief architect, Mike Croucher, says the regulations are not a dramatic shift for Travelport’s business practices.

“We value the trust that companies put in us to have their data, and therefore as a platform, we’ve always had to build that ethics into what we do. GDPR to us is just a reflection of that in law,” he says.

“And I think there is a necessity to put it into place for companies that were not doing that to protect the individual.”

Challenges in travel

GDPR includes several privacy principles. Organizations must clearly state why they are collecting personal data and how it will be used; data can only be stored “for the shortest time possible”; and data subjects must be told if their data will be transferred outside the EU and that they have the right to withdraw consent (and therefore have their data erased) at any time.

In travel, this creates challenges since customer data may be fragmented across the channel chain.

“Who owns the customer is a very key element of GDPR,” Croucher says.

“On our system, we probably hold an individual multiple times, but we don’t recognize them as an individual. What we recognize is their booking. If you booked as an individual on Expedia through us, and you also booked through a corporate travel company, we would not recognize you are the same person since there’s a separation of customers between the people that use our system.”

And while B2B data processors such as Travelport are not directly responsible for getting consent, they are responsible for keeping records of their data processing activities and understanding what type of data is flowing through their systems and whether it is identifying a person or an anonymized persona.

“The moment you take the name and identify out of the data, storing it as a type of person is acceptable [without consent]. If you can track back from that type of person to the individual, it’s unacceptable,” Croucher says.

Privacy vs. personalization

Croucher says the idea of understanding travelers in segmented personas suits Travelport’s needs. But that may not be the case for B2C brands looking to drive customer engagement and loyalty. For them, the collection and tracking of personal data may be at the core of their strategy to show their customers they “know” them. By putting more control in the hands of consumers, GDPR creates pressure for brands to demonstrate the benefit of their services.

“You need to ensure that from the customer’s perspective, them giving you the right to use that data for personalization is of value to them. And if it’s not of value, you’ll see them not ticking the box to give you the right to use that data,” he says.

And as brands develop new products, such as features on mobile or web interfaces, GDPR requires that they build in “privacy by design” and “privacy by default.” In other words, from the first stage of product development, companies that deal with the data of EU citizens must incorporate procedures and policies that are in compliance with GDPR.

“Many times today, systems are developed and then governance is put in to protect the use of data,” Croucher says.

“GDPR says right at the beginning, as much as we design for failure and reliability, you need to design for privacy, and you need to design for it by default into your systems.”

Future developments

Blockchain-based solutions for traveler identity may become more common in coming years as a way to ensure privacy and to comply with regulations such as GDPR.

The idea is that personal data is encrypted and controlled by the data subject who can determine on a case-by-case basis what pieces of data to share, when to share it and with whom.

Croucher says there could also be a role for data banks - central repositories accessible only by the data owner - rather than the current system where consumers may be giving permission to multiple companies to store their data.

“Look at what you do with your money: You don’t give it to companies to store in case they need it. You keep it in a central bank and release it when it’s time to be used,” he says.

“And if you think of personal data, why aren’t you doing that? There could be … data banks where actually you can release a certain segment of your data to somebody for a given amount of time. And then you can withdraw the right yourself by turning off that access and encryption key - it’s the tokenization of your data to individuals.”

Whether that is a viable solution or some other model develops, Croucher believe GDPR signals a permanent shift in data governance.

“I think you will see more and more of that individual protection of data by law,” he says.

“It’s starting in Europe, but I think it’s the way the world is going.”

• Unlocking travel security, part 1: The threat landscape