Abta is urging travel companies to start preparing to meet new data protection rules which come into force in less than four months’ time.
The General Data Protection Regulation (GDPR) will affect how businesses collect, use, manage and store their customers’ and employees’ personal data.
Non-compliance with the new laws could result in fines of up to £17 million, or 4% of annual turnover, as well as having other business impacts such a loss of goodwill, employee trust and negative publicity.
In addition, the final Package Travel Regulations are likely to be published in May – less than two months before they are due to come into force in July.
Abta today highlighted to businesses the importance of preparing for the GDPR in advance of May – otherwise they will be leaving themselves with little time to prepare for both.
Many travel businesses will already have processes and systems in place that go a long way towards compliance with the new data protection rules.
But some things will change, Abta warned today ahead of the new regulations being introduced on May 25.
The GDPR will require firms to be more accountable, and have clearer and more robust processes in place when handling personal data relating to customers, staff and others whose data they deal with.
This is particularly important for the travel industry where there are often multiple uses for data and multiple channels for collecting it as well, according to Abta.
It is also vital that businesses review the contracts they have in place with third-party suppliers as travel companies collect and share customer information with suppliers, often overseas, for booking purposes.
The association is suggesting three steps companies should take -perform a review, understand the requirements and collate relevant records
First and foremost, businesses need to carry out a full audit of the data they hold and how they handle it – including how it is collected, what it is used for and how it is stored securely. Abta has produced a data protection audit spreadsheet with guidance which can help members in their preparations for the GDPR.
They need to understand if their procedures for acquiring and processing data are robust enough to meet the more rigorous requirements of the GDPR. Businesses need to consider what the legal basis is for processing relevant sets of data, as they will only be able to process personal data if it adheres to one of six lawful bases, such as the fact that the processing is necessary for the performance of a contract with the data subject. More information about each of the bases are on the ICO website.
3. Relevant records
Companies need to update their privacy statements in order to be completely transparent with customers about how they use their data. They need to clearly inform individuals about the purposes of processing their data and what will happen to it, and bear in mind all the additional details required under the GDPR.
Abta legal affairs director Simon Bunce, speaking as the association held a sold out seminar on data protection and cyber security in travel, said:
“The GDPR is an evolution in the way that data is protected, rather than a revolution. The biggest priority now is knowing what GDPR means for their businesses and having the organisational capacity to start making changes in time for its introduction in May.
“We can expect everyone to demand higher levels of security and compliance following the introduction of the law and any perceived weakness in this area will damage trust.
“Abta has been helping members prepare for the GDPR since autumn 2016, raising awareness at regional meetings, developing dedicated events and creating materials which explain what steps they should be taking.
“We have also been pointing people to the Information Commissioner’s Office [ICO] ‘12 steps to take’ guidance document.”
Rhys Griffiths, partner and head of travel regulation at law firm Fieldfisher – moderator at today’s seminar in London, added: “One new key principle in the GDPR is accountability – it’s no longer enough to comply with data protection laws, businesses must demonstrate how they meet the new regulation.
“It’s not too late to make these changes to help your business be compliant with the GDPR and those which have processes and policies in place to adhere with the Data Protection Act will find that there is a lot of existing resource which can be re-utilised for GDPR compliance purposes. It’s also important to remember it will be an ongoing process, rather than a race to the 25th May.”
Abta will be running one-day seminars on regulatory changes occurring in 2018 over the coming months. A travel law seminar in May will provide a legal update for the travel industry across two days.