Who and What can you Trust - Travel Industry - Julia Harris - Information Security Assurance and Compliance Director - Corporate 21 April 2022 - IDC
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Who and What can you Trust – Travel Industry Julia Harris – Information Security Assurance and Compliance Director - Corporate 21 April 2022
Every journey has a beginning
Born different. Born on a bus, we’re part of a family with a track record for doing things differently.
PART OF CORPORATE FLIGHT CENTRE BUSINESS TRAVEL GROUP TURNOVER FCM ESTABLISHED $12.5B 2004 CLIENT CUSTOMER RETENTION SATISFACTION 98% 95% GLOBAL FOOTPRINT Not your 97 COUNTRIES 8,000+ EMPLOYEES average TMC MULTI AWARD WINNING GLOBAL TRAVEL MANAGEMENT COMPANY CLIENT GROWTH RATE 131% WORLD’S LEADING TMC 10 YEARS RUNNING – WORLD TRAVEL AWARDS
Flight Centre Travel Group “ The Flight Centre Travel Group (FCTG) is one of the world’s largest travel retailers and corporate travel managers. The company, which is headquartered in Brisbane (Australia), has company-owned leisure and corporate travel business in 24 countries, spanning Australia, New Zealand, the Americas, Europe, the United Kingdom, South Africa, the United Arab Emirates and Asia. FCTG also operates the global FCM corporate travel management network, which extends to more than 90 countries through company-owned businesses and independent licensees. The company opened its first leisure travel shop in Sydney (Australia) in 1982 and listed on the Australian Securities Exchange in 1995. ”
•More 01 flexible.
Interconnections in the Travel Industry 3rd Party Systems Risk Finance Airlines Providers System Global Distribution Hotels System Online Others Booking Tool BANKs Traveller Web App Reporting Mobile System App TMC Systems Reservation TMC Traveller Third party PII Financial data controller Mixed Data TMC s data Traveller s data processor processor
•More 01 flexible.
What Trust is there? • Controller to Controller Relationships - The (third-party) controller has overall control over the purposes and means of processing personal data. - The controller has the highest level of compliance responsibility – they must comply with, and demonstrate compliance with, all the data protection principles within their jurisdiction. In Europe this is GDPR, but elsewhere it will be the local privacy legislation. The majority of countries in the world now have some form of privacy legislation – with the newest often seeking to be 'as tough or tougher' than GDPR. - Reliance on standard contractual clauses as the second most efficient international transfer mechanism for business. - Excellent relationships with the major entities – less supported in current privacy regimes – there is no proof in this case. • Controller to Processor Relationships - Processors have responsibility for meeting legal privacy obligations to their controller(s). Wide list of responsibilities here (e.g., security, data breach notification, audits, documentation, etc.). This is true in Europe and other jurisdictions with robust privacy legislation but varies in countries outside the EU/EEA. - Controllers have accountability for actions of their processors when processing controller's data. Hence annual questionnaires and on-site visits for highest risk companies plausible. - Standard Contractual clauses often in place for international data transfer from controller to processors. - Annual questionnaires add little value in this relationship, beyond being a tick-box burden. - SOC2 Type II and or ISO27001/ISO27701 are excellent options and are likely to become more prevalent.
•More 01 flexible.
Data Sovereignty? • We can retain data in specific jurisdictions for the majority of occasions. • A number of key pieces of data protection legislation contain data sovereignty requirements, either requiring data is retained in a specific geolocation or placing barriers to the transfer of that data to third countries. Examples include China's Personal Information Protection Law, Russia's Law on Personal Data, India's draft Personal Data Protection Bill, and of course Europe's GDPR. • However: - In the Travel Industry Data Sovereignty is an increasingly tricky issue, because unless you only travel within one single country, or region, data has to flow outside that country or region. - In order to fly, your personal data, including passport details, dates of birth, and some data which may show health or religious affinities will reach your destination before you do. - Also, the passenger manifest of every flight is shared with every country the plane flies over under international treaties.
•More 01 flexible.
Travel Life • In June 2016, Flight Centre joined the Travelife Sustainability System, an internationally recognised certification programme run by ABTA to promote sustainability within the tourism industry. • On 17 Jan 2022 Flight Centre appointed Michelle Degenhardt as its global sustainability officer. She reports to a member of the senior management team. More will happen in this space. • Carbon Offsetting - Air travel releases gases, including carbon dioxide (CO2), that contribute to global warming with flight causing the largest environmental impact of any holiday. Carbon Offsetting is a reduction in CO2 in one place in order to compensate for emissions made elsewhere. • Carbon Removal - Pay companies to extract carbon from the environment equal to what is created through travel. i.e. the future of aviation fuel is being investigated to use Direct Air Capture and produce clear fuel rather than ‘black’ fuel. • Reducing Energy Consumption • Recycling • We need to do this as everyone is more aware, we report on CO2 usage in our reporting. That is not why we do it though, we are committed to ensuring the future of the planet, alongside facilitating our explorations of it.
Discover the alternative
You can also read