Ai Editorial: Why having a core data asset isn’t enough?

First Published on 6th April, 2018

Ai Editorial: In the wake of recent concerns related to data privacy or even ongoing cases pertaining to a breach, leak or attack on personal data, it is imperative for travel companies to take a stringent action, writes Ai’s Ritesh Gupta

 

The significance of a company-owned core data asset can’t be undermined, but this also means there is an additional onus on travel companies to look at critical areas, be it for privacy of customers, data privacy laws or even the action that needs to be taken in case there is a breach, leak or attack on personal data.

This would be a key topic of discussion at the upcoming 12th edition of Ai’s Ancillary Merchandising Conference, slated to be held next week in Edinburgh, Scotland. Considering the recent incidents such as the fiasco featuring Facebook and Cambridge Analytica or The General Data Protection Regulation or GDPR (the deadline for compliance is May 25th, 2018), travel companies have to ensure they abide by data protection rules across Europe or other parts of the world.

Getting the basics right

Here are some of the areas that need to be taken care of:

Responsibility towards travellers: Travel companies need to provide consumers with control over how their data is used. It is time travel companies find ways to request, receive and capture customer consent to the use of their personal data.

In fact, in case of the GDPR, coverage of legal bases must feature a “freely given, specific, informed and unambiguous consent by clear affirmative action”, and also a right to withdraw consent, which must be brought to their attention. In case of GDPR, there is a need for explicit and informed consent from EU residents for collecting and using their personal data.

In case of a customer data platform, as we highlighted in one of our recent articles, travel companies need to be aware of registered consent when accessing customer data (so data coming from any touchpoint and system, the related computation or processing of data is to be done in sync with consent, assess how the data is being used, what data is being used and for how long that data can be used), address data audits in a speedy, exhaustive manner (say who has been accessing data) and ensure there is consent across all touchpoints (including integration with consent registration databases). The core data asset, say a customer data platform, needs to collect, manage, and store personal data responsibly. This is where the upcoming regulation, GDPR, comes in.

(Hear from experts about GDPR at the upcoming Ancillary Merchandising Conference, to be held in Edinburgh, Scotland this year (9-11 April, 2018). For more info, click here)

Understanding the responsibility as an enterprise: Other than consent, organizations need to assess several other areas. And here also, GDPR, is an apt benchmark to assess the preparedness.

  • What is the definition of personal data?
  • Who all are liable, for instance, GDPR extends liability to all organizations that touch personal data.
  • Understand the implications of being checklist for data controllers and data processors. What’s the checklist? For instance, as explained in the GDPR, controllers have to adhere to compliance measures to cover how data is collected, its use, the tenure for which the same is going to be retained and making sure consumers have a right to access the data held about them. As for data processors, controllers must bind them to certain contractual commitments to ensure that data is processed safely and legally.   
  • Processing must be paused if objection is raised by an individual.
  • What is an organization is probed/ summoned/ asked to perform a data audit for a specific customer?
  • How can a customer data platform help in making the most of the available data while complying with both the contractual and technical challenges posed by GDPR?

 

Other recent articles on GDPR:

Ai Editorial: As trust around “personal data” wanes, hopes hinge on a stringent regulation

Ai Editorial: How is your GDPR transformation process coming along?