Jane Clutton, corporate manager of Aviate, looks at how travel sellers can prepare for GDPR before its introduction in May.
You have probably already heard about GDPR, otherwise known as the EU’s General Data Protection Regulations. GDPR is no longer on the distant horizon – it is just around the corner, with the new rules due to be enforced from May 25, despite Brexit negotiations.
In a nutshell, GDPR will change the rules about how businesses hold and use personal data, which is defined in the regulations as anything which aids the identification of an individual. So it may not be just a name (there are many John Smiths) but a name together with a date of birth, an email address (business as well as private), place of business, home address or passport details would be classed as data. At present it is governed by the Data Protection Act 1998. The aim of GDPR is to further strengthen the rights of the individual and protect their personal information and identity.
For the travel industry, it seems like a huge deal given the sheer amount of customer data we deal with on a daily basis. In reality, there is nothing to be scared of. Most businesses will already be compliant with the new rules and it may be simply a matter of adjusting policies and putting a few extra safeguards in place to ensure that data is stored securely and subject’s rights are clear.
Data can be split into three categories:
Employment contracts and your company handbook will need to be amended to reflect the new legislation confirming the business’s compliance, the reason for collecting and retaining the data and the data subject’s rights. You should check that the data is stored securely and the timescale and circumstances in which it is destroyed.
Privacy policies need to be updated explaining why the data is collected (usually for the performance of a contract), the customers rights, any disclosure to third parties and why (an airline for example) what you may use the data for and when it will be deleted.
Providers of services such as transfers and accommodation. You should ensure their compliance by updating your supplier code of conduct.
GDPR lists six acceptable reasons for using data and the two most relevant to travel industry sales and marketing departments are:
- Your legitimate business interest, as long as it can be justified when balanced against the individual’s right of privacy.
- Consent, which must be by way of a positive action such as ticking a box not unticking a pre- ticked box and evidenced.
Both reasons require you to remind the data subject that they have a right to decline any further marketing communication each time you contact them and make it clear how they can do that.
The good news is that if you are contacting people who have used your services previously, you can continue to contact them about similar products without approaching them for fresh explicit consent as the legitimate business interest reason should be acceptable.
It might be best to avoid direct marketing to passengers who have not been your clients without explicit consent though, so contact the agent or lead passenger but not the entire party.
Actions to ensure compliance with GDPR include:
Audit your data
Start by finding out what data you have. Outsource this to department heads if you can as they will be more familiar with the information needed. What data is stored, how, why, what is it used for, any third parties who are sent it, when it is destroyed and any policies currently in place regarding. It should be presented on a spreadsheet if possible, and there is an example on the Abta website.
Review data security
You need to consider who has access to your data and why. Are physical copies locked away and how safe are the keys? Is all portable equipment encrypted? Do you have adequate online security? When and how is data destroyed?
Privacy policies on websites, contracts of employment and company handbooks, data breach response procedure and suppliers code of conduct will need reviewing and amending to ensure compliance with the new regulations.