At Corporate Travel Management (CTM), we value your privacy and have always taken our data protection obligations seriously. You own your data, and we are committed to ensuring it is kept safe and secure.
From May 25, 2018, new legislation will have an effect on how companies collect, store and use personal data belonging to European Union (EU) residents irrespective of their geographical location. The General Data Protection Regulation (GDPR) is designed to give individuals better control over their personal data and allow them to manage their consent.
Businesses of any size may need to comply with the GDPR if they have an establishment in the EU, if they offer goods and services in the EU, or if they monitor the behaviours of individuals in the EU. To find out more about the GDPR, click here.
YOUR PRIVACY IS OUR PRIORITY
CTM is used to working with customers whose businesses demand confidentiality and robust security. We have long had the processes and systems to provide you with the required comfort that your data is in good hands.
In order to achieve GDPR readiness, and comply with the new regulations effective 25th May, 2018 Corporate Travel Management have appointed a dedicated Information Security and Data Protection Officer who has been working in our business since November 2017. Our DPO is implementing a 12 point plan based on the ICO’s “Preparing for the GDPR” We are engaging with suppliers to finalise our plans, implementing in good time.
We are rolling out an internal training program, updating our policies and privacy notices, and reviewing contracts with suppliers to ensure that customer requirements are met. Work is underway to ensure that all data subject rights can be fulfilled by our systems, and incident reporting procedures are being updated to GDPR standards.
Corporate Travel Management has PCI DSS Level 3 and is actively pursuing certification to ISO/IEC 27001:2013. We undertake regular penetration testing and ensure that all our staff are trained and aware of privacy and security policy.
Corporate Travel Management (CTM) take their Data Protection obligations seriously. In order to achieve GDPR readiness, and comply with the new regulation effective 25th May, CTM appointed a dedicated Data Protection Officer in 2017. We are drawing to a completion of our 12 point plan based on the ICO’s “Preparing for the GDPR”.
CTM has drawn up customised GDPR eLearning material relevant to Travel Management Companies and is rolling this out for all personnel. This training will be amended to new circumstances, and forms the basis of mandatory, regular training. Top management also receive the training to inform decision making.
2. Information you hold
CTM has detailed catalogues of its data streams, and a summary “Customer Data Processing Activities” document appropriate for client needs.
3. Communicating privacy information
CTM is reworking its own privacy notices to GDPR compliance for 25 May 2018, and will co-operate with customers in delivering any privacy notices they wish to communicate.
4. Individuals’ rights
CTM are adopting a “Data Subject Rights Policy”, which covers the rights expressed in Articles 15 to 22. The policy specifies co-operation with clients in fulfilling requests, and co-ordination along the supply chain.
5. Subject access requests
Dealing with Subject Access Requests is lain out in our Data Subject Rights Policy.
6. Lawful basis for processing personal data
CTM has reviewed its legal justification for the data processing it does on behalf of customers, and in all cases it is “Performance of Contract” as specified in Article 6 para 1 (b).
CTM does not carry out any personal data processing for customers based on individuals’ consent
- CTM does not accept direct bookings from children, bookings are always made by an adult on a child’s behalf.
- Hence our processing of children’s data is carried out under the booking contract. If a child’s consent is required for processing, that must be obtained by the Data Controller (client).
- We fulfil all children’s Data Subject rights as we do for adults.
- We do not market to children.
- Our privacy notices are for adults. Should children need extra explanation it must be provided by the Data Controller (we will provide assistance on this if required).
- We do not carry out any fully automated processing on children’s data that has legal or similarly significant effects on them.
- Any risk to children’s data in new developments is picked up in Data Protection Impact Assessments.
- Given the above, we do not involve children in designing our systems.
9. Data breaches
CTM is updating its Information Security Incident Management Plan to improve responses to personal data breaches, in accordance with the guidelines in ISO/IEC 27005:2011. The plan is being developed with CTM globally, and addresses possible breaches due to customer and supplier actions, as well as our own systems.
10. Data Protection by Design and Data Protection Impact Assessments
New projects at CTM will screened to assess whether they require a DPIA.
CTM’s Projects team will take the Data Protection by Design principles on board, as have SABStt (the developers of our Lightning UK series of Online Booking Tools). CTM will continue to assess its systems with regards to their ability to meet Data Subject rights.
11. Data Protection Officers
CTM has appointed a full-time Information Security and Data Protection Officer.
As a Travel Management Company, CTM obviously sends personal information abroad, including to countries who are not the subject of an “Adequacy Decision” from the European Commission. As many Travel Management Companies do, CTM makes extensive use of Sabre’s Global Distribution System, which is based in the United States. CTM and Sabre exchange information under European Commission provided Model Clauses (Standard Contractual Clauses), and this will also be CTM’s approach with other organisations outside the EEA. The situation is complicated and evolving, and CTM will take necessary measures to adapt and remain compliant.
Continuing GDPR Assurance
CTM is incorporating the controls in ISO/IEC 29151:2017 into its upcoming ISO 27001:2013 accreditation.