Equifax, Yahoo, Ebay – all major
brands that have been the targets of cyber criminals, with millions of
customers impacted in each case.
Those attacks have been so large as to attract worldwide
attention, but smaller attacks happen every day and across every sector.
And as customer data is compromised, brand reputation and
revenue can also take a hit.
In travel, several big players have been affected, with
companies such as Orbitz, Sabre, IHG, Delta and Hyatt all announcing breaches
in the last year.
With billions of dollars in transactions and billions of
pieces of personally identifiable information passing through travel companies’
digital systems every year, cybersecurity is a critical issue for the industry.
Brands rely on data to create personalized, seamless
experiences for customers – but at the same time, consumers are growing ever
more weary about sharing their personal information.
Now regulations are being put in place that give consumers more
control over their data while putting more responsibility on the organizations
that gather and store it.
The most far-reaching regulation to date is the General Data
Protection Regulation (GDPR) regarding the protection and privacy of data about
citizens of the European Union.
For part two of our series on privacy and security, we talk
to Travelport chief architect Mike Croucher regarding the benefits and
challenges of GDPR for the travel industry.
The European Parliament approved GDPR in 2016 and
gave companies two years to prepare their systems and policies for compliance. Starting
May 25, the regulation goes into effect, governing how companies gather, store,
share and destroy personal data - such as their names, email address and mobile device IDs - on residents of the EU, regardless of where that company is
Non-compliance can result in steep fines: a maximum
of 4% of annual revenue or 20 million Euros, whichever is greater.
Subscribe to our newsletter below
The regulation impacts a broad range of industries, and certainly travel is one of the most affected.
Eurostat, the statistical office of the European Union, estimates nearly
two-thirds (62.1%) of the EU’s population took part in tourism in 2016, making
1.2 billion trips.
that there may be multiple data collection points across a single trip – from air
and hotel bookings to ground transportation and activities – and it becomes
clear that GDPR has the potential to touch every sector of travel in every
corner of the world.
GDPR outlines responsibilities for data controllers - those entities
that determine the means of processing personal data - and data processors
which process the data on behalf of the controller.
In general, the controllers have direct contact with the data
subject and are responsible for collecting consent and managing consent
As a travel commerce platform providing distribution,
technology, payment and other solutions for the industry, Travelport is a data
processor. Every day 100TB of
data are processed through Travelport’s more than 20,000 physical and virtual servers. It handles one trillion transactions annually.
For about the past year, Travelport has been actively
developing its GDPR compliance program, ensuring systems and policies are in
place, creating staff training and appointing a data protection officer as required
by the regulation for companies that “engage in large-scale processing of sensitive
But the company’s chief architect, Mike Croucher, says the regulations
are not a dramatic shift for Travelport’s business practices.
“We value the trust that companies put in us to have their
data, and therefore as a platform, we’ve always had to build that ethics into
what we do. GDPR to us is just a reflection of that in law,” he says.
“And I think there is a necessity to put it into place for
companies that were not doing that to protect the individual.”
Challenges in travel
GDPR includes several privacy principles. Organizations must
clearly state why they are collecting personal data and how it will be used;
data can only be stored “for the shortest time possible”; and data subjects
must be told if their data will be transferred outside the EU and that they have
the right to withdraw consent (and therefore have their data erased) at any
Who owns the customer is a very key element of GDPR.
Mike Croucher - Travelport
In travel, this creates challenges since customer data may
be fragmented across the channel chain.
“Who owns the customer is a very key element of GDPR,”
“On our system, we probably hold an individual multiple times,
but we don’t recognize them as an individual. What we recognize is their
booking. If you booked as an individual on Expedia through us, and you also
booked through a corporate travel company, we would not recognize you are the
same person since there’s a separation of customers between the people that use
And while B2B data processors such as Travelport are not
directly responsible for getting consent, they are responsible for keeping
records of their data processing activities and understanding what type of data
is flowing through their systems and whether it is identifying a person or an anonymized
“The moment you take the name and identify out of the data,
storing it as a type of person is acceptable [without consent]. If you can
track back from that type of person to the individual, it’s unacceptable,”
Privacy vs. personalization
Croucher says the idea of understanding travelers in
segmented personas suits Travelport’s needs. But that may not be the case for B2C
brands looking to drive customer engagement and loyalty. For them, the
collection and tracking of personal data may be at the core of their strategy
to show their customers they “know” them. By putting more control in the hands
of consumers, GDPR creates pressure for brands to demonstrate the benefit of their
“You need to ensure that from the customer’s perspective,
them giving you the right to use that data for personalization is of value to
them. And if it’s not of value, you’ll see them not ticking the box to give you
the right to use that data,” he says.
And as brands develop new products, such as features on
mobile or web interfaces, GDPR requires that they build in “privacy by design”
and “privacy by default.” In other words, from the first stage of product
development, companies that deal with the data of EU citizens must incorporate
procedures and policies that are in compliance with GDPR.
“Many times today, systems are developed and then governance
is put in to protect the use of data,” Croucher says.
“GDPR says right at the beginning, as much as we design for
failure and reliability, you need to design for privacy, and you need to design
for it by default into your systems.”
Blockchain-based solutions for traveler identity may become
more common in coming years as a way to ensure privacy and to comply with
regulations such as GDPR.
The idea is that personal data is encrypted and controlled
by the data subject who can determine on a case-by-case basis what pieces of
data to share, when to share it and with whom.
Croucher says there could also be a role for data banks - central repositories accessible only by the data owner - rather than the
current system where consumers may be giving permission to multiple companies
to store their data.
“Look at what you do with your money: You don’t give it to companies
to store in case they need it. You keep it in a central bank and release it
when it’s time to be used,” he says.
“And if you think of personal data, why aren’t you doing that?
There could be … data banks where actually you can release a certain segment of
your data to somebody for a given amount of time. And then you can withdraw the
right yourself by turning off that access and encryption key - it’s the
tokenization of your data to individuals.”
Whether that is a viable solution or some other model
develops, Croucher believe GDPR signals a permanent shift in data governance.
“I think you will see more and more of that individual
protection of data by law,” he says.
“It’s starting in Europe, but I think it’s the way the world