by Kevin Iwamoto | July 7, 2017

Kevin Iwamoto of Goldspring ConsultingHave you heard about the European Union's General Data Protection Regulation (GDPR)? Whether you are a buyer or supplier, you need to immediately start asking within your organization how this new measure will impact your existing and future travel- and meetings-supplier agreements. The GDPR will affect almost all countries in the world, because it will extend the EU data-protection law to all foreign companies processing data of EU residents, regardless of location.

GDPR comes into enforcement on May 25, 2018, and is directly aimed at giving a greater data protection in the member countries of the EU (currently 28 nations, including the United Kingdom until Brexit). The total population directly impacted by GDPR in all these countries is roughly 508 million people.

At the very core of the GDPR is data privacy and governance. How companies address the new regulations will invariably impact their business processes and also will add operational costs, as each company will have to impose ongoing audits and assessments and employ data-protection experts as part of the newer and stricter data-governance regulations.

For those opting to ignore the GDPR and hoping the EU will forget about it, note: There is no avoidance, as violating companies will face stiff penalties for noncompliance to the tune of 4 percent of annual corporate revenues or 20M Euros, whichever is the greater of the two penalties!

In case you are wondering about the scope of personal data covered by the GDPR, it's more than just name and address; it also includes details about income, health, frequent-flyer and frequent-stay accounts, birthdays, age, food preferences, allergy notifications, cultural and ethnic background, etc.

There also are guidelines as to how long a data collector can retain the information and regulations for mandatory purging of personal data.

Think about how much personal data companies and their preferred supplier partners collect and retain for their employee travel, meeting/event attendees, guests, etc. The GDPR will require a review and remedy for existing travel and meeting processes, supplier agreements and a whole lot more. This kind of thoroughness will require time, budget and revised preferred-supplier considerations for all business travel and corporate meeting and event leaders.

You should give a heads-up to all your current preferred travel and meeting suppliers that collect personal data, notifying them that they need to check on what their companies are doing with regard to next year's GDPR launch.

So, what about Privacy Shield, which replaced Safe Harbor? Are Privacy Shield members exempted from the GDPR?

According to the Privacy Trust website (, the GDPR has specific requirements regarding the transfer of data out of the EU. One of these requirements is that the transfer must take place with countries deemed as having adequate data-protection laws. The EU does not list the U.S. as one of the countries that meets this requirement.

"Privacy Shield is designed to create a program whereby participating companies are deemed as having adequate protection, and therefore facilitate the transfer of information," notes Privacy Trust. "In short, Privacy Shield allows U.S. companies, or EU companies working with U.S. companies, to meet this requirement of the GDPR."

However, according to other experts like Foley and Lardner LLP, Privacy Shield might not survive when the GDPR kicks in, because the premise of "adequate data protection," especially for U.S. companies, has been challenged as inadequate. On their website, Foley and Lardner say that "The European Union Article 29 Working Party issued an opinion on the proposed EU-U.S. Privacy Shield framework agreement earlier this week, stating that although the Privacy Shield was a ‘great step forward,' the Article 29 group identified several areas in which it found the Privacy Shield to be unacceptable, including that it permits the U.S. to carry out ‘massive and indiscriminate' bulk surveillance of European Union citizens."

The biggest change in my opinion is the escalation and elevation of anything regarding data privacy to the corporate C-suite. The Foley website page notes, "Companies should be aware that GDPR shifts the issue of privacy and personal data protection even further from an information technology issue to a board of directors and C-suite issue. GDPR will have a tremendous impact on the day-to-day operations, costs and potential liabilities of the company that demands board-level attention. Furthermore, under Sarbanes-Oxley in the United States, public companies may need to disclose GDPR's increased operational costs and potential for high liabilities to their investors."

If the above is true, that means agreements with travel-management and meeting-management companies, mobile-app suppliers and any suppliers that support your current corporate travel program or strategic meeting management programs will require C-level or board awareness and further scrutiny to ensure compliance and avoidance of any potential violations that could incur penalty charges.

All of this is no doubt a big step toward combatting all the sinister data hacking and phishing activities that are being perpetrated around the globe, but it does require a tough introspective look at how companies and their supplier partners treat and retain personal data.

I highly recommend both buyers and suppliers in the business-travel and meetings-and-events ecosystems start the process now to be complicit with the GDPR before the enactment date. The penalties and stiff fines are more than enough incentive to get this message out and for companies to start treating data privacy as a primary corporate objective vs. an aspirational goal. Frankly, you have less than one year to be GDPR compliant. If you are aware of this now and have done nothing to date, you are running out of time.

Kevin Iwamoto is senior consultant at GoldSpring Consulting. You can follow him on Twitter @KevinIwamoto. His book, Your Personal Brand: Your Power Tool to Build Career Integrity, is available from Amazon (including a Kindle version), as well as from CreateSpace.