Significant data fiduciaries will also have to assess implications not just from a compliance standpoint, but the cash flow impact in tax laws as well under the law that came to effect earlier this month, experts said.
The travel and hospitality sector has traditionally had access to a lot of customer data which could all come under scrutiny now.
“Companies need to take explicit user consent before user data is used under the new law, and the travel and hospitality sector will see a lot of digital transformation. Because of some of the physical touch points and points of sale, companies are grappling with sensitising their front desks on the matter. As much as possible, hotels will now have to ensure that user data is digital and there are paperless check-ins and reservations. If you look at loyalty programmes, there’s a lot of cross selling and upselling that happens through data,” said Mini Gupta, technology partner, EY India.
“The sector has a third-party ecosystem and companies are looking at minimising data exposure to third parties. Visa processing firms have access to critical data. International companies that are GDPR (General Data Protection Regulation of the European Union) compliant will have to look at other elements such as seeking multilingual consent and would need a data protection officer stationed in India if they qualify as significant data fiduciaries,” she added.Rahul Garg, managing partner at tax and regulatory consultant Asire Consulting, said significant data fiduciaries in the sector would have to assess the kind of major implications it would trigger not just from a compliance standpoint, but the cash flow impact in tax laws as well.
Discover the stories of your interest
“If the significant data fiduciary is based in territories that are blacklisted by the government, the data of individuals would be barred from access by such entities which would require them to set up their physical business presence for continuity of operations,” he said.
“This is apart from other requirements such as appointing a data protection officer in India who would be directly responsible to the board of foreign entities in the sector. All these requirements need to be delved in detail if the same would also trigger a taxable presence in India (if it involves a core activity versus an auxiliary one) and the resultant tax liabilities to discharge with Indian IRS,” he added.
In a response to ET’s queries, Bapsy Dastur, general counsel and head of corporate risk, compliance and legal at visa services provider VFS Global, said the company is currently studying the requirements of the new law.
“Having said that, VFS Global’s compliance to the requirements of data privacy laws in the countries of operation is part of our legacy of adhering to the highest standards in data protection, as well as adherence to the processes, security and data protection requirements of all the client governments we serve,” she added.
The head of a global hotel chain said his chain was already following some of the practices of GDPR in India and that the new law seemed to be broadly in line with some of the core requirements under GDPR.
“Compared to domestic chains, the implementation appears to be easier for companies that are already compliant with GDPR practices,” he said.
Kapil Mahajan, director of AKM Global that has clients in the travel and tourism space, said companies earlier were typically collecting data and providing various services through data sharing with group companies but that was restricted now.
“Companies need to take consent. And the processing of data should be for the purpose for which consent has been given. The data subject can always withdraw consent and ask for erasure of data. If users download a travel app, for instance, the service provider has to tell the data subject how their personal information will be processed. The moment the service is provided they have to erase this data. They can’t keep using it till infinity,” he added.
