decisions based on that processing, to the extent that this could be considered pro;ling,” said Colliander.
This gray area is exactly what persuaded U.K. TMC Norad Travel Group to pause its consideration of introducing chatbot booking technology. “GDPR is all about explicit consent and an individual’s right and a legal
basis for processing that data,” said CEO Mick Gibbs. “Who owns the arti;cial intelligence inside a robot?”
Vendor Certi;cation. Suppliers need to con;rm they are compliant with GDPR, ensuring, for example, that
they will provide immediate noti;cation in the event of a breach or that they will delete data as soon as they are
noti;ed an employee no longer works for a client company. Colliander’s legal team has advised her that suppliers must sign a contractual assurance that they are compliant with BCG’s 15-page data processing agreement.
The problem, according to Schoedt, is that “some vendors are prepared and some are not. In the EU,
they are knowledgeable about the situation and have timetabled their preparations. Outside the EU,
they don’t know how to address it. We had a contract with a U.S.-based car rental company that went
back and forth with the lawyers for months because they didn’t understand what we were asking for.”
Plenty of time is needed, therefore, to ensure all suppliers will be compliant by the May 2018 deadline.
An example of just how much work that requires: “Now that we are a year away from implementation, we
have a project team working on ensuring compliance with the speci;c details of GDPR,” said CWT’s Simms.
“Key areas currently being addressed include an updated privacy impact assessment framework; updating our
privacy notices and mechanisms for obtaining consent; refreshing our approach to handling questions from
travelers on access, correction and deletion of information; and formally appointing a data protection of;cer.”
Crossborder Data Transfer. Only a small number of countries and territories outside the European Economic Area—which encompasses the EU, Iceland, Norway and Liechtenstein—are deemed by the EU to
offer adequate data protection: Andorra, Argentina, Canada, the Faroe Islands, Guernsey, the Isle of Man,
Israel, Jersey, New Zealand, Switzerland and Uruguay. The GDPR permits data transfer to countries with
inadequate protection so long as approved mitigating measures are taken.
One of the most common mitigating actions, the one adopted by TravelpoolEurope, is to draft model contractual clauses,
also known as standard contractual clauses, that leave a supplier in breach of contract if it does not protect transferred data
to the same standard as required within
the EU. Another option is Binding Corporate Rules in which a multinational company provides evidence to an EU member
state’s data protection authority that it has
taken steps to ensure transfer compliantly.
For the U.S. speci;cally, there is also
the Privacy Shield framework, although
some European companies are becoming nervous about transferring employee
data across the Atlantic and instead are
insisting that U.S. service providers keep
information within the EU.
Though these principles seem straightforward, Colliander and her legal team are
uncovering questions around which data
requires compliant treatment for crossborder transfer. “Treatment of non-EU citizens’
data is still not clear,” she said.