Ai Editorial: How is your GDPR transformation process coming along?

Ai Editorial: General Data Protection Regulation or GDPR compliance is a complex journey. It demands enterprise-wide introspection, be it for keeping a tab on the use of personal data or breach prevention or training of employees, writes Ai’s Ritesh Gupta


Travel e-commerce companies have been assessing their existing level of data protection compliance, as GDPR comes into force on 25th May this year. The impact of this regulation would be extensive, as it applies not just to entities based in Europe, but to any organization that holds or processes personal data of individuals residing within the European Union (EU).

What makes meeting compliance challenging is the fact that there is no silver bullet and there is no shortcut to be GDPR compliant. For instance, security experts can help in ensuring the unprotected PII data is identified, whereas marketing technology specialists would ensure how personal data is being used and how to put in place registered consent when accessing customer data.

The travel industry will be impacted due to the large volume of personal and sensitive data it processes about travellers.

The regulation, which places greater emphasis on consumer consent and transparency in the collection and use of personal data, impacts those entities engaged in administering/ managing personal data within the EU or the European Economic Area (EEA). There are more aspects as for the impact of GDPR on travel organizations, including offering services to citizens in this area, scrutinizing the conduct/ behavior of people as part of data strategy etc. Going deeper, organizations within Europe that are associated with or avail the services of 3rd party companies based outside of the EU/ EEA have to ensure their partners/ vendors comply by the enforcement of GDPR or on behalf of these businesses. To summarize, this regulation impacts data controllers (garner data) and data processors (process data on behalf of a data controller). In November last year, law specialist firm Axiom indicated that that global companies had millions of contracts that needed to be identified and remediated by May 2018, at a cost of over more than $1.06 billion, referring to contracts between controllers and processors.

One way to evaluate the significance of the European Union’s GDPR is the failure on the part of an organization’s to meet the requisite compliance. It can result in bad PR plus a hefty penalty, too. It can touch an upper limit of €20 million or 4% of annual global turnover – whichever is higher. But more importantly, in terms of being data-centric and connecting the dots along a traveller’s entire journey, it offers an even bigger opportunity. Here are few aspects that are being discussed as of today:

  • Impact on the ownership of data: Before delving into how the GDPR impacts companies focused on data, the definition of personal data needs to be understood. It isn’t only about conventional personally identifiable information, say a name or an email id. Rather it also features identifiers that may, when combined with other data, identify an individual. Of course, airlines are getting used to this definition of personal data. Businesses have been keen on counting on any signal or identifier that helps them to stitch a profile and know the preferences/ behavior of their customers. So this new ruling will definitely have an impact on how travel companies collect, manage, and store personal data. Considering that we are in the era of a single view of passengers/ travellers, one in which airlines are looking at what’s happening across a user’s every search, what they browse, their booking and journey, airlines need to re-examine  the way they manage data, and plan for new processes and technologies enabling the consumers right to “own” their data. GDPR is not only about winning the trust of customers, but it is also having an impact on enterprise-wide functioning. In fact, GDPR is fuelling drive towards the initiative of digital transformation. Also, better compete with data-rich ecosystems or companies, be it for Alibaba, Google, Facebook etc.
  • Winning over the trust of customers: GDPR has come at a stage when there is a lack of trust among customers (concerns about privacy, lack of trust in brands among the most etc.). Plus companies are also pursuing personalization in a big way. But for this to work, data is of paramount importance and consumers won’t share data with companies they don’t trust. GDPR will raise awareness among customers about data collection and eventually would encourage them to trust brands. Expect competition to go down from companies that mishandle/ misuse data. Also, rather than considering security and customer experience separately, this development paves way for a more holistic view of the customer experience.


GDPR compliance is a complex journey. A couple of areas that demand attention include keeping a close tab on the use of personal data and breach prevention.

  • Personal data: According to NGDATA (conducted a webinar this week, titled “Maximize the value of customer data within the boundaries of GDPR”), there is a need to be aware of registered consent when accessing customer data (so data coming from any touchpoint and system, the related computation or processing of data is to be done in sync with consent, assess how the data is being used, what data is being used and for how long that data can be used), address data audits in a speedy, exhaustive manner (say who has been accessing data) and ensure there is consent across all touchpoints (including integration with consent registration databases).
  • Breach prevention: It becomes extremely important for airlines to come to grips with their technical and organizational security measures, and appraise their respective cyber insurance policies to ensure they sufficiently cover the costs of a data breach. It is also being highlighted that the regulation requires data controllers to inform their national regulator of a data breach within 72 hours of discovering it, “if the breach is likely to result in a risk to the rights and freedoms of individuals.” As highlighted by Foregenix, the potential fines suggest that “any form of negligence or poor governance where data breaches are concerned is likely to prove extremely costly. And that's without factoring in the cost of legal representation to defend your position”.
  • Being responsible: It is vital to train and educate employees about the new regulations and impacts on data handling and breach notification, and every individual has a responsibility to ensure their role doesn’t contribute to the leakage of PII. According to Foregenix, being aware of what data a business requires, how it is used and how it flows around the organization will be essential for achieving and maintaining compliance with GDPR. Also, security awareness training modules including one for GDPR can help in preparing the whole team.


Hear from experts about GDPR at the upcoming Ancillary Merchandising Conference, to be held in Edinburgh, Scotland this year (9-11 April, 2018).

For more info, click here


For Ai’s 2018 Events, check -

Follow Ai on Twitter: @Ai_Connects_Us