Trade News
Inbound/ Domestic News
Outbound News
Home In Conversation Details


Wednesday, 17 October, 2018, 11 : 52 AM [IST]

‘A one-time investment is insufficient to maintain long-term compliance’

As technology becomes an enabler for businesses, there is also heightened risk of customer data breach. The GDPR framework by the European Union is a step in that direction to make businesses accountable for safeguarding customer data, and India is also on the path to update its Information Technology Act to address concerns of data security. Ashish Kishore, Managing Director - India, American Express Global Business Travel, speaks to Disha Shah Ghosh on the subject and its implications for the travel industry in India.

Q Technology in the past decade has been a disruptor across businesses. How do you view this change in the travel space? Your forecast for future?
New technologies have always driven innovation and disruption in business across all industries, and the business travel industry is no exception. Over the years, consumer expectation and company requirements have resulted in the advent of numerous technologies which are commonplace in corporate travel today such as online booking tools, travel apps, and tools to track and communicate with employees during travel disruptions.

We see our role as becoming far more than a medium for employees to book a flight or a hotel, but rather an end-to-end travel platform where travellers can arrange their itinerary with the content of their choice, at a time of their choice, via the medium of their choice, whether that be through a phone call, online, or app.

Q With technology, there has been a massive influx of customer data. What kind of challenges has been created for travel companies?
The enormous increase in customer data that many companies hold, not just within the travel industry, has brought with it numerous challenges. Firstly, customer expectations around their data are greater than ever before, and companies need to be able to record and protect that data, but also remove it from their systems when requested. Modern expectations for the management of data, for example within a travel app, would be for it to know where you are, what you want to eat, and your travel itinerary, but for you to also have complete control over your data. This requires a sophistication of systems, and comes at a cost.

Additionally, the costs of managing and protecting customer data are continuing to rise, and businesses need to be prepared to manage this. Fortunately, increases in the democratisation of data within many organisations are also enabling rising numbers of staff to identify ways in which customer data can drive enhanced value for a company. In this way companies are seeing overall benefit from the free flow and use of data within an organisation, while dealing with increasing pressure to protect it.

Q With the General Data Protection Regulation (GDPR) coming into force this year in May, what kind of changes are required to be made by businesses India in the travel space?
GBT has been quite vocal in India on the topic of GDPR because it has consistently been a hot topic for our clients, particularly local Indian companies looking to expand globally. To provide guidance on this, we recently put together our own White Paper on GDPR to help companies understand how privacy laws are changing around the world.

For us, as a global travel management company, GDPR, and other such data privacy regulations are typically considered ‘business as usual’. This is because there have always been high expectations regarding data protection for travel companies, based on the highly sensitive information that we manage. Additionally, our roots as a bank holding company, and as the only travel management company that is party to the Binding Corporate Rules, put us in a strong position to meet the GDPR requirements from the outset.

In this regard, the key impact that GDPR has made on the business atmosphere in India for the travel space is that it has enabled reputable operators within the industry to assert their knowledge and experience in data security to the benefit of companies who are currently undertaking a steep learning curve.

QFor travel & tourism industry which is a complete customer-centric business with access large scale data, what kind of technological investments will have to be undertaken to comply with GDPR?
Due to the highly sensitive data which has always been managed by the travel industry, some travel management companies with an international presence, such as GBT, were already GDPR compliant well before the May deadline. That being said, maintaining a successful and comprehensive data protection programme requires continual focus and investment, particularly in technologies that can assist with compliance. A one-time investment is insufficient to maintain compliance in the long term.

QWhat are the key challenges in terms of identifying key data protection issues?
For businesses, data protection issues are related to the ability of the organisation to adequately protect customer data from increasingly complex outside threats, and this requires robust systems and technologies that keep pace with cyber-criminal tactics.

Separately, the topic of data management, that is, what information a company holds about a customer and how it can be used, is still an emerging challenge. Consumer activism regarding data management is something which we expect is likely to increase in coming years and companies will need to be prepared to accommodate rising expectations over the management and use of data.

QJustice BN Srikrishna committee has submitted its report on data protection “A Free and Fair Digital Economy – Protecting Privacy, Empowering Indians” along with a draft data protection bill. What kind of precedent will the GDPR have on the upcoming policy in India?
We view it as a smart move by the Indian government to wait until GDPR came into force before establishing its own data protection regime. In this way India has been able to understand and appreciate the key elements of GDPR and can build on those elements with laws and regulations that extend beyond the existing Information Technology Act.

Key recommendations of the Srikrishna Committee provide valuable transparency to Indian customers regarding how their information is stored and managed.
In particular, the requirement of at least one copy of personal data to be stored physically in India provides clarity over a key issue of data sovereignty.
Q What kinds of changes have been affected at American Express GBT to comply with the GDPR norms?
For GBT, GDPR compliance has not required many substantive changes as we have maintained a best-in-class data privacy programme for years. GBT is not only legally required to maintain this programme, but our clients expect (and demand) it.

Since 2015, American Express GBT has created, conducted and improved the Privacy Risk
Management Programme, an accountability framework which delivered GDPR-readiness. The Privacy Risk Management Programme operates seamlessly with American Express GBT’s data governance programme and an information security risk management framework.
Post Your commentsPOST YOUR COMMENT
* Name :      
* Email :    
  Website :  
Receive the best of Travel content in your mailbox.
Enter your e-mail ID for our
Weekly e-Newsletter
© Copyright 2015 Saffron Synergies Pvt Ltd