GDPR: travel industry can be the beacon

The European Union’s (EU) General Data Protection Regulation (GDPR) has been active since May, and while many large multinationals are already GDPR-compliant, some smaller players, including many small and mid-sized Indian companies, are not.

A legitimate reason is that GDPR’s regulations are only applicable if the company has a presence, offers goods or services, or monitors individuals’ behaviours in the European Union. A number of Indian firms are experiencing high growth, and are beginning to explore opportunities globally. It’s critical they prepare for the obligations of a multinational organisation, and for those that do intend to conduct business within Europe, that they have prepared themselves to be GDPR-compliant.

Their existing privacy policies must be enhanced to meet stricter regulatory obligations of the global marketplace such as GDPR. For companies conducting business in Europe that fail to meet these standards, they risk fines of up to €20 million, or 4% of annual revenue for the fiscal, whichever is higher.

For the new kids on the block — India’s future global corporations — regulatory requirements may prove to be an early stumbling block if they’re not sufficiently prepared.

‘Business as usual’

For many of our clients, particularly local Indian firms looking to expand globally, GDPR is a hot topic. For us, as a global travel management company, GDPR, and other such data security regulations are typically considered ‘business as usual’. For, there have always been high expectations regarding data protection for travel companies, based on the highly sensitive information that we manage. Additionally, our roots as a bank holding company, and as the only travel management company which adheres to the Binding Corporate Rules, put us in a strong position to meet the GDPR requirements from the outset.

India’s growth sectors such as retail, banking, insurance and telecom are key areas where global expansion will likely require GDPR compliance. The travel industry’s experience in data security can provide tremendous benefit to those who are still finding their way. A few tips here:

Companies should create a robust data inventory to ensure that they are effectively and transparently communicating their data processing activities. They should put in place a regular internal audits process.

Second, companies should educate employees and provide training around privacy and security awareness.

Finally, any business with European partners must understand its data protection obligations, especially any contractual obligations which relate to the way personal data is handled. European businesses will require their Indian partners to put in place new mechanisms to ensure any personal data transferred between them meets the GDPR’s requirements.

(The writer is managing director, India, American Express Global Business Travel)

Our code of editorial values

This article is closed for comments.
Please Email the Editor

Printable version | Aug 10, 2022 6:48:56 am |