The GDPR is being introduced with the aim of strengthening and unifying data protection for everyone in the European Union, and will supersede all previous data protection regulations. The legislation will become law on May 25th 2018, and has at its heart the notion of customer privacy. Organisations will be required to maintain all personal data records and demonstrate that they were given consent to access that information. They’ll have to show how it is being used, how the information is protected, and the length of time it is kept. Non-compliance could result in a fine that would be related to the company’s turnover.
The evolution of privacy laws
The good news for travel businesses is that, regardless of the scope of the GDPR, and the changes it brings, compliance should not be too onerous. In fact, the travel industry is at a considerable advantage over many other industries, as people are usually only too happy to receive information about holidays and associated special offers. The primary purpose of the law is simply to prevent personal information being given to third parties and thus to cut down on spam – not to prevent businesses from being able to contact customers about services they have previously used. The Information Commissioner’s Office, the regulator responsible for enforcing GDPR in the UK, says the new legislation is more ‘evolution’ than ‘revolution’ in terms of privacy laws; businesses with systems already in place will not have to start from scratch.
What you need to do
The first step for travel companies is to perform an audit of all your data and establish what information you have, and why; whether you have consent, and what you plan to do with the information. Customer information has to be captured to make bookings, but to use such information for other purposes will require written or verbal consent. You will also need to review your security, and think about restricting access to such data.