The European Union’s General Data Protection Regulation (GDPR), which gives consumers the right to know, understand and consent to the data companies collect about them, will come into full effect on May 25, 2018.

As a result of the new regulation, entities based in an EU member country or those outside the EU that offer goods or services to individuals living in the EU or monitoring their behaviors must comply with the new law or risk being fined up to €20 million or 4 percent of their annual global turnover, whichever is higher.

Under the GDPR, businesses must inform individuals (referred to as “data subjects”) why they are collecting their personal data and disclose other details of their data operations to ensure transparency. Data subjects also have the right to make choices about how their information is used.

How it relates to travel

GDPR has major implications for travel services, which involve complex data transactions. Each day, personal data, such as names and passport numbers, must be transferred from data subjects to a variety of third parties — i.e., global distribution systems (GDS), travel management companies (TMC) to hotels, airlines, ground transportation providers, online booking tools, etc. Each member of this intricate ecosystem has its own obligation to comply with GDPR and decisions to make about how to keep travelers’ data safe and actions to take if there’s a breach.

It gets even more complicated because GDPR makes a distinction between two types of parties collecting personal data. There are the “data controllers,” the ones directly responsible for deciding how and why data is used, and the “data processors” that carry out the controllers’ instructions.

Because of travel’s complex supply chain, organizations may disagree on their role, but generally the GDS and travel suppliers are seen as controllers, while online booking tools are considered processors.

So what role do TMCs play? It’s a gray area, but American Express Global Business Travel (GBT) is taking on the greater responsibilities of data controller.

“Given the services we provide, we think the law requires that of all travel management companies,” Kasey Chappelle, previously chief privacy officer of American Express GBT, said during a media event last year on the topic of GDPR. “But it’s also what’s best for our clients. We’ve built a privacy program specifically designed for travel data, and we take the direct legal responsibility for its compliance.”

In an interview with the Beat, Chappelle said, “We can provide assurances the data will be protected when we are the ones controlling the process,” but it’s harder to assert control over others’ processes.

”Think about the point at which the data handoff is made to a hotel,” she added. ”The hotel is going to make decisions about how it stores and uses that data and the vendors that it uses to process the data. We can’t tell the hotel not to use those vendors or not to treat the data in a certain way. We can’t negotiate a contract like that with every hotel in the world.”

Businesses, which are considered data controllers and thus accountable for their traveling employees’ data, must do their own due diligence to ensure the entirety of their travel program complies with GDPR. A part of that may be talking to their TMC and their suppliers about how they handle their travelers’ data and verifying they are meeting the GPDR requirements as a data controller.

Chappelle said, “It’s in travel buyers’ best interest to be looking at all their contracts with TMCs and providers to ensure that within their contract the data controller has clearly stated that they offer protection.”

To assist with this task, TMs might seek the counsel of their firm’s data protection officer, a role many companies are required to fill under the new law and whose primary job is to ensure GDPR compliance.

And you can rest assured that American Express GBT has taken all the necessary steps to become GDPR compliant — here are the short and long explanations.

Privacy by design

GDPR comes at an interesting time, when the travel industry is investing in new technologies that collect data to provide travelers with a more personalized service. If companies aren’t transparent about their activities, it may be a problem under the new law.

“Travel is adopting the big data advances of the consumer technology giants,” Chappelle said, but “we should be careful not to adopt their privacy problems, too. When we use big data, when we track location for duty of care or when we put virtual assistants in booking tools, privacy protection must be built in right from the start.”

She explains that American Express GBT has addressed this by building privacy by design into our product development lifecycle. “Historically a privacy best practice, it’s now required by law in the GDPR. It means you build privacy into the technology from the beginning rather than expecting the lawyers to solve it at the end.”

This also applies to any third parties that American Express GBT uses.

“If you’re getting the third-party tools through us,” she said, “then we’ve done that due diligence; that is our vendor onboarding process and that incorporates the same privacy risk assessments that our product development process does. Whether we built it ourselves or built it in from a third party, we have done that review.”

And now it’s time for your own review to make sure you’re ready for GDPR. May 25 is nearly here! For more steps on how to prepare, click here.