Redfern take their Data Protection obligations seriously. In order to achieve GDPR readiness, and comply with the new regulation effective 25th May, Redfern appointed a dedicated Data Protection Officer in 2017. We achieved our 12 point plan based on the ICO’s “Preparing for the GDPR”.
We are engaging with suppliers to finalise our plans, implementing in good time.
We are rolling out an internal training program, updating our policies and privacy notices, and reviewing contracts with suppliers to ensure that customer requirements are met. Work is underway to ensure that all data subject rights can be fulfilled by our systems, and incident reporting procedures are being updated to GDPR standards.
Redfern has demonstrated compliance with rigorous third-party security frameworks and standards including ISO/IEC 27001:2013, PCS DSS Level 1, Cyber Essentials Plus and Cloud Security Principles. We undertake regular penetration testing and ensure that all our staff and contractors are trained and aware of privacy and security policy.
Redfern drew up customised GDPR eLearning material relevant to Travel Management Companies and rolled this out for all personnel. This training will be amended to new circumstances, and forms the basis of mandatory, regular training. Top management also receive the training to inform decision making.
2. Information you hold
Redfern has detailed catalogues of its data streams, and a summary “Customer Data Processing Activities” document appropriate for client needs.
3. Communicating privacy information
Redfern reworked its own privacy notices to GDPR compliance for 25 May 2018, and will co-operate with customers in delivering any privacy notices they wish to communicate.
4. Individuals’ rights
Redfern have adopted a “Data Subject Rights Policy”, which covers the rights expressed in Articles 15 to 22. The policy specifies co-operation with clients in fulfilling requests, and co-ordination along the supply chain.
5. Subject access requests
Dealing with Subject Access Requests is lain out in our Data Subject Rights Policy.
6. Lawful basis for processing personal data
Redfern has reviewed its legal justification for the data processing it does on behalf of customers, and in all cases it is “Performance of Contract” as specified in Article 6 para 1 (b).
Redfern does not carry out any personal data processing for customers based on individuals’ consent.
- a. Redfern does not accept direct bookings from children, bookings are always made by an adult on a child’s behalf.
- b. Hence our processing of children’s data is carried out under the booking contract. If a child’s consent is required for processing, that must be obtained by the Data Controller (client).
- c. We fulfil all children’s Data Subject rights as we do for adults.
- d. We do not market to children.
- e. Our privacy notices are for adults. Should children need extra explanation it must be provided by the Data Controller (we will provide assistance on this if required).
- f. We do not carry out any fully automated processing on children’s data that has legal or similarly significant effects on them.
- g. Any risk to children’s data in new developments is picked up in Data Protection Impact Assessments.
- h. Given the above, we do not involve children in designing our systems.
9. Data breaches
Redfern updated its Information Security Incident Management Plan to improve responses to personal data breaches, in accordance with the guidelines in ISO/IEC 27005:2011. The plan is developed with CTM globally, and addresses possible breaches due to customer and supplier actions, as well as our own systems.
10. Data Protection by Design and Data Protection Impact Assessments
New projects at Redfern are screened to assess whether they require a DPIA. Redfern’s Projects team have taken Data Protection by Design principles on board, as have SABStt (the developers of our tRIPS Online Booking Tool). Redfern will continue to assess its systems with regards to their ability to meet Data Subject rights.
11. Data Protection Officers
Redfern has appointed a full-time Data Protection Officer.
As a Travel Management Company, Redfern obviously sends personal information abroad, including to countries who are not the subject of an “Adequacy Decision” from the European Commission. As many Travel Management Companies do, Redfern makes extensive use of Sabre’s Global Distribution System, which is based in the United States. Redfern and Sabre exchange information under European Commission provided Model Clauses (Standard Contractual Clauses), and this will also be Redfern’s approach with other organisations outside the EEA. The situation is complicated and evolving, and Redfern will take necessary measures to adapt and remain compliant.
Continuing GDPR Assurance
Redfern is incorporating the controls in ISO/IEC 29151:2017 into its upcoming ISO 27001:2013 accreditation.