Currently, GDPR is the hot marketing topic and quite rightly. The major question for PTS members is, “How Will GDPR Impact My Travel Business?”. It is important all travel businesses are prepared for the new data protection changes that must be implemented by May 25th 2018. Consumer protection is the key in travel and this is just another improvement to protect consumers.
There seems to be significant confusion about GDPR so we wanted to take this opportunity to try to simplify the changes in regulations, what areas GDPR applies to and processes you can implement to ensure you follow the new GDPR rules.
The legal definition for GDPR is long but it proves helpful to read this below snippet to shed some light:
Personal data is defined within the GDPR, as “any information relating to an identified or identifiable natural person (‘data subject’). An identifiable natural person is a person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, such as National Insurance number, address, email address, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”
GDPR is only concerned with personal data – corporate data is not included at this stage.
GDPR is applicable to the processes of personal data by organisations established or operating within the EU. Furthermore, organisations outside of the EU that offer goods and services or monitor the behaviour of EU citizens.
GDPR heavily weighs on “accountability” which means that organisations have to be in a position to prove that they have taken every measure to ensure compliance with the new GDPR rules.
To be able to show accountability we would strongly advise that you keep written documentation of your personal data audit that we will now discuss further.
Data Held By Travel Companies That Should Be Considered when Addressing GDPR
Client Details To Be Considered for GDPR
- Email addresses
- Telephone Numbers
- Personal Preferences
- Passport Details
- Date of Birth
- Postal Address
- Ethnic Origin
- Health details
- Financial and payment information
HR information to be considered for GDPR
Previous employees and previous address details of employees
Your first step should be to conduct an internal data audit of all personal data processing. Consider and record your organisation’s agreed policies and procedures concerning data mapping.
Key areas of importance for an Internal GDPR Compliance Audit
- What types of data do you collect?
- Why you collect the specific personal data?
- How you collect and use it?
- How you store the personal data?
- How secure is your data storage facility/ server?
- How long you retain the personal data?
- Once you have run through the above questions in your audit you must then consider whether your processes are in alignment with GDPR rules.
- Does your travel business need to appoint a Data Protection Officer? In some cases, this is mandatory now.
- Have you updated your privacy policies in alignment with GDPR rules?
Many travel businesses have data transfer and sharing arrangements. This is still ok but you MUST ensure that you have appropriate contracts in place.
Consent is a pivotal part of how GDPR impact your travel business. Your consent mechanisms are a critical consideration. Gone are the days of a pre-ticked box to sign up for a newsletter and third-party sharing. An individual now has to physically “opt-in” to any correspondence. It is mandatory to demonstrate consent. It is also mandatory to allow any person you are contacting an easy route to “opt out”.
Legitimate interest is a further area for consideration of processing and especially applicable to travel businesses. Understanding why you are processing the data you require – for instance, the personal data required to fulfill the action of booking a package holiday. In essence, your travel company, and employees should only ask for any relevant information that is needed. In short, would your client agree that you need all the information you are storing?
Fundamentally, if a travel business cannot prove they need personal data for any given client at that time then it should not be stored.
Currently, Data Protection has a limit of a £500,000 fine but GDPR will increase to 20,000,000 Euros or 4% of Worldwide turnover – whichever is deemed greater. However, there are concerns about how the new GDPR rules will be controlled and enforced. Arguably, someone isn’t going to knock on your door on May 25th to check. But, if a spot check were to occur, or you were reported for not following GDPR there will be having penalties. So, this is a quick guide for you to take steps to ensure your tour operator or travel business is ready.
Do take a look at the Information Commissioner’s Office Website for full details – it is incredibly informative and easy to read. We have a further blog on EU Data Protection – GDPR.
If you’d like to discuss how the GDPR impact your travel business further, please get in contact with one of Protected Trust Services’ (PTS) lovely staff members by calling 0207 190 9988. Or, you can visit our member support and travel trust account pages to learn more about how we protect you.