GDPR to trigger change in Mideast travel trade
Travel trade entities need to evaluate and reinforce their information management systems to avoid the risk of data breaches.
Dubai - Sweeping EU rule brings unprecedented protection of data
The European Union's General Data Protection Regulation (GDPR), which went live from May 25, 2018, should sound as a clarion call for Middle East travel trade companies to overhaul their data protection and privacy policies and their execution processes. This is of particular importance to companies which are in travel and visa facilitation services, simply because these companies are privy to a large amount of personal data. The GDPR regulations are meant to protect the privacy and personal information rights of individuals and data breaches can attract heavy fines.
While many Middle East businesses dealing with an EU counterpart come under the GDPR regime, in the case of travel trade, the impact of GDPR is far more pervasive. For instance, any outbound traveller to any of the Schengen and UK destinations from Middle East and North Africa, irrespective of nationality, is also covered under the sweeping data protection and privacy rights regulation by virtue of applying for a Schengen or UK visa. This makes it critical for travel trade entities to evaluate and reinforce their information management systems to avoid the risk of data breaches, particularly because citizens and expatriates alike from the UAE and GCC travel to European destinations in large numbers. If we take a count of our business alone, we processed over 1.6 million visa applications to Europe from across Mena countries, a lion's share of it coming from the GCC. This obviously made it imperative for us to put in fool-proof systems already in earlier years well in advance of the new legislation and we are now one of the 15 per cent of companies globally that are GDPR-compliant.
The GDPR law was enacted two years ago while its enforcement across all 28 EU countries came into effect last month. The legislation raises the standards of personal data privacy across not just Europe but across the world by changing the rules of companies that collect, store or process user information. Every company that operates in Europe, or has European users is required to comply with the GDPR standards.
The fact is that GDPR has become the global benchmark for privacy and data protection globally with strong chance of it being followed as a framework in other geographies of the world. In this light, it is better that business houses in the Middle East look at this as an opportunity to enhance their processes and systems to ensure increased data protection and privacy.
The sweeping scope of GDPR which encompasses right to access data, modification and erasure, right to object to automate processing or even to restrict processing, among others, brings in an unprecedented level of data protection and data ownership rights. It even strictly controls targeted emails unless there is explicit consent from an individual at the receiving end. Companies will have to review their systems and make sure there are no loopholes for data leakage. For us, even though we do not store data beyond the application process as per policy given by respective client governments, we had to change and review our process paths. This included deploying a state-of-the-art website cookie preference centre that allows users to choose what cookies they want in their browser to the creation of a dedicated communication channel for applicants to find out how their personal data is used and to answer their queries. Extensive training of our staff has also been part of our preparations.
We are also looking at having impartial data protection champions across the regions we operate from, including in the Mena. I am sure many companies in the region would also have done GAP analyses and are looking at GDPR compliance as a means to strengthen their data and privacy norms, and naturally so since the new regulation is a harbinger of change.
The writer is group data protection officer at VFS Global. Views expressed are his own and do not reflect the newspaper's policy.