GUEST BLOG: Duty of Care vs. Data Privacy: Striking a Balance

By now, we are all quite familiar with the Global Data Protection Regulations (GDPR) rolled out last May. We now find ourselves in this brave new world of data privacy that require some changes to how we’ve managed our business in the past. 

In particular, GDPR has introduced a quandary for corporate travel managers as it relates to balancing employee data privacy and travel risk management obligations.

The issue is most pronounced when considering the impact of off-piste “leakage” bookings. Given that over two-thirds of employees have booked travel outside their mandated travel management company (TMC) or online booking tool (OBT) in the past year, this is a legitimate conundrum, as the critical itinerary details about those bookings exist outside the tools to manage them.

How can a company meet its duty of care liability if it doesn’t know where employees are travelling?

And more specifically: can an individual employee “opt out” of sharing their business travel plans, if doing so impedes the company’s ability to provide duty of care?

It’s an open question that has not yet encountered a formal legal challenge, so there are no clear answers. However, there are two provisions within GDPR that may offer guidance.

1. Legal Obligation. Where your company has a legal obligation to provide duty of care to employees, this may be sufficient justification for using data from the travel booking without first obtaining employee consent. There are some fences, of course, but in general if the data is necessary and there is no alternative way to meet the legal obligation without this data, you may have standing.
   
   
2. Legitimate Interest. This standard is broader in scope, but can also provide justification for using employee data to meet duty of care obligations. It uses a three-part test:

○   Purpose test – is there a legitimate interest behind the processing? Given the data is used for duty of care, and not for something akin to marketing, it’s likely this test is met.

○   Necessity test – is the processing necessary for that purpose? Can duty of care be achieved without acquiring this data? If not, then it can be deemed necessary.

○   Balancing test – is the legitimate interest overridden by the individual’s interests, rights or freedoms?  Could the employee likely be harmed in any way by the use (or misuse) of their data for this purpose? If the potential damage is minimal, you may have standing to use the data.

Either or both standards may apply to your organisation, and if so, can offer more latitude in what solutions you may deploy to capture travel program leakage data. New technology solutions for data aggregation can help by automatically capturing these leakage bookings in real-time, but implications on data privacy must be evaluated. More traditional approaches like requiring employees to manually enter or forward in confirmation emails for off-piste bookings can meet the “consent” requirement, as can a blanket consent obtained as part of an employment agreement or traveller profile created within your OBT systems.

Enlist internal stakeholders from your risk/security, legal, HR, travel, and procurement teams to determine which path (or paths) fit best for your organisation, considering your risk profile and company culture.

Most critically, once you’ve chosen a path, make sure to communicate the program clearly to your employees.  The best duty of care approach is one that enlists employees as partners in the process, as they are the ultimate stakeholders.

To learn more, download the white paper Duty of Care vs. Data Privacy, sponsored by Traxo.

##

This post was written by Cara Whitehill, Chief Commercial Officer for Traxo, a leader in travel data aggregation solutions for corporate clients. Traxo’s services integrate with leading travel risk management solutions to capture off-piste “leakage” bookings for duty of care purposes.

Traxo is exhibiting at the Business Travel Show at Olympia London next week - register for free now at www.businesstravelshow.com 

GUEST BLOG: Off-Channel Bookings: How to Manage What You Can't See

Off-channel bookings continue to be a source of great headaches amongst corporate travel managers, and with that activity continuing to grow, those headaches won’t abate anytime soon.  A recent GBTA survey of European companies shows that approximately seven out of 10 travellers booked some component of their trip outside their official booking channel in the past year -- a statistic that, anecdotally, may even be understated.

But chances are, you already knew that -- and it’s one of the reasons you’re attending this conference.  What to do about it?

Data accessibility has quickly become one of the hottest topics in any discussion of travel management strategies, particularly as it relates to risk management and duty of care.  

New, truly automated solutions for capturing this off-channel data as it occurs are gaining traction with corporate clients across both the enterprise and mid-market sector. Offerings like Traxo FILTER, which automatically detects confirmation emails for virtually any off-channel bookings as they occur and distributes that data to the company’s risk management, expense, and travel management company (TMC) providers, and Concur’s TripLink, which import details from a traveler’s linked supplier account for nearly a dozen suppliers, go a long way toward filling in the gaps is program data visibility in a timely manner.

Figure 1 Travel Managers’ Top 3 Most Time-Consuming Activities

“…with 57% of travel managers citing travel data analysis to track program performance as one of their top-three most time-consuming activities, the problem is compounding with new supplier-direct booking.” 

(GBTA Foundation, July 2015)

Alternatively, traditional techniques for sourcing this data have relied heavily on time-consuming manual labour: either the travel manager having to manually reconcile data from their TMC(s), credit card(s), and expense management application(s), and/or the traveller having to remember to forward in copies of their off-channel confirmation emails in a timely manner.  Rarely is this data captured early enough in the travel lifecycle to be of any meaningful use for duty of care, compliance enforcement, or budget forecasting.

Testing out these new automated solutions can provide a travel manager with low-risk way to gain a wealth of new data points to help inform all aspects of their programme - from supplier negotiations to policy compliance to vendor selection.  For example, one of our clients, a boutique consultancy with a global client base, uncovered some particularly insightful details about their off-channel activity:  they assumed most of their off-channel hotel activity was going directly to supplier websites, given that their consultants are typically required to book their clients’ corporate rate directly with the property; however, data showed a fair amount of activity going to online travel agencies (OTAs) like Kayak, Booking.com, and Hotels.com, as well as AirBnB, pointing to opportunity to bring that activity back into their managed program.

With the availability of new technology solutions for tracking this “leakage” activity, there is no need to keep flying blind when it comes to managing your travel program.  Push your TMCs, expense management solutions, and duty of care providers to help you corral this data, and look into other solution suites on offer for corporate clients to bring this off-channel data back in house, where it ultimately belongs – because you can’t manage what you can’t see.

This blog was posted by Cara Whitehill, Chief Commercial Officer for Traxo, who is exhibiting at the Business Travel Show next month. Please register for your free visitor pass at http://www.businesstravelshow.com/