You may have heard these acronyms being banded around at various trade events and seen articles in various trade publications. If you attended the ITP conference in Oman you would have seen a presentation by Ole Mortensen on GDPR. I can tell you that PCI DSS is just as important hence why I am raising awareness in the ITP newsletter to both of these critical changes in our industry.
Let’s start with PCI DSS, Payment Card Industry Data Security Standards (PCI DSS) is a global data security standard to protect confidential payment card information against theft. Airlines have demanded that IATA support their own internal compliance project by making the BSP card sales channel PCI DSS compliant. This is why IATA Accredited Travel Agents now need to become PCI DSS compliant by the end of March 2018. That’s really only a few months away! Contact your card acquirer for more information and assistance or click on the following links for further information. This is really critical and very much needed by every partner.
Let’s move onto GDPR, General Data Protection Regulation; it’s a legal requirement from 25 May 2018, replacing the existing Data Protection Directive at European Union level and the UK Data Protection Act 1998. GDPR applies to anyone handling data belonging to EU residents, that’s not corporations or companies it’s now about personal data, the traveller information you hold. You may think I don’t deal with any European travellers but as a global network operation its important all our partners comply to support future multimarket sales opportunities. Penalties are high for those who don’t comply if there is a data breach and personal information is leaked. I have added a link below that takes you through what you should now about GDPR.
The starting point for all partners is self-assessment. This will help you identify what you need to do and what areas need to be covered. To get you started here is a link to a Self-Assessment website provided by Microsoft or you can look at the following simplified steps to secure your data:
• Create an accountability framework – Consider what is appropriate for your business; this may include carrying out a data audit, reviewing policies and practices, legal agreements and carrying out data protection impact assessments. You should keep clear records of all decisions you make, steps you take and monitoring and reviews going forward.
• Are you legally required to appoint a Data Protection Officer? If required, appoint one now (internal or external) and if not required, consider whether you need one. Ensure that your officer is in place as soon as possible so that they are fully engaged and prepared for May 2018.
• Policies and processes – Because of the need to be able to prove that you have adhered to the data protection principles, it is vital to have strong policies and processes in place, provide training on them, keep them updated, and ensure they are followed. These may include, for example, a data protection policy, information security policy, policy on when you need to complete a data protection impact assessment and a breach response procedure.
• Legal agreements – You will need to review your legal agreements carefully to ensure they are updated to cover GDPR and to protect your organisation. This will include updating obligations to reflect the changes under GDPR in agreements with any third parties who process personal information on your behalf.
These are two very specialist areas that ITP urge you to not only think about but set a plan of action. If you are already activley working on these two areas or have completed the required process and are willing to share your experience with other partners, please let me know?
General Manager – ITP International Travel Partnership