Consumer Data Protection is changing.
The changes will have massive effects on the travel industry’s marketing and with only 8 months to go until law, 5 of those months ( Jan – May) are usually travel businesses busiest and so there has never been a better time to start to get organised.
Read our easy access guide to GDPR to help you get started and if you require further information or guidance please do contact us.
Understanding in your travel business
The EU General Data Protection Regulation (GDPR) is the biggest shake up to Data Protection in the UK ever and takes precedence over the Data Protection Act of 1998 that you are almost certainly ( or should be) registered for.
As a Travel Agent or Tour Operator you MUST be prepared and be able to comply with the new regulations by May 2018. This regulation applies to you because you hold data about identifiable persons (including your staff as well as clients)
The regulation changes the way that you can collect, process and secure data about your clients, potential clients, staff and suppliers.
In its essence, GDPR is aimed at giving individuals rights over the data that companies can hold on them and use for marketing. It is aimed at stopping the current form of ‘hiding’ what companies do with data in lengthy privacy statements ( think of the last time you read an Apple privacy notice when setting up a new phone). So as an individual this is a good piece of legislation. For businesses, it could be a bit of a headache.
This is not something you can avoid. It will be the law and so you MUST COMPLY.
You have until May 2018 to comply. If you don’t then you could face massive fines which are potentially business destroying
A Level 1 breach could incur a fine of up to €10,000,000 or 2% of global annual turnover, and a Level 2 breach can be a fine of up to €20,000,000 (£17,000,000) or 4% of global annual turnover, whichever is the greater.
The EU document is around 200 pages long. There are some summary definitions that everyone who runs a company will be expected to know and understand in order to manage their compliance. If you understand the terms below, then it will help you when deciding on a plan to become compliant with the Regulation.
PERSONAL DATA – Name, email address, telephone number etc. You store this data in booking systems, CRM systems, Email Systems, Quote Systems, Filing Cabinets, Mobile Phones, Email lists etc. It covers any identifying information.
Typically you may store random info on a client such as “likes Greece’. This is deemed to be Personal Information and is therefore data that falls within GDPR compliance
SENSITIVE PERSONAL DATA – this is very specific personal data that would never normally be in the public domain. It includes racial / ethnic origin, political opinions, membership of trade unions, religious beliefs, health conditions both physical and mental, sexual orientation, and criminal offence history.
For travel businesses, you may record if someone has a health issue because this is needed for your booking records. You will need to make the client aware of how you use this information that you gather.
CONSENT – this must be “freely given, specific, informed and an unambiguous indication of the data subject’s wishes which may be communicated either by a statement or by clear affirmative action. Consent also has to be a positive indication of agreement to personal data being processed – it cannot be inferred from silence, pre-ticked boxes, or inactivity.” Information Commissioner’s Office.
DATA CONTROLLER – this is you! It is the person that determines how the data will be used
DATA PROCESSOR – anyone who processes data for you ( for the data controller) excluding your employees. This will be e.g. Tour Operators whom you pass the data to in order to fulfil the booking and software providers such as Net Effect who manage your cloud software systems ( Websites, CRM’s etc.)
DATA PROTECTION OFFICER – The person responsible in your business. For companies with less than 249 employees you don’t need to register a DPO but you still need to know who is responsible.
DATA BREACH – This is when your data has been breached, stolen, viewed or used by anyone unauthorised to do so. This covers malicious hacking to forgetting your laptop on a train. You have to have processes in place to inform the ICO of any breach within 72 hours
ICO – Information Commissioner’s Office – the data authority in the UK.
The below definitions sum up the rights of individuals after GDPR. Managing compliance and your marketing will need to be ordered and managed and its best to do this with a CRM ( customer relationship management software )
The Right to be Informed – The right to be informed encompasses your obligation to provide ‘fair processing information’, typically through a privacy notice. It emphasises the need for transparency over how you use personal data.
The Right of Access – Under the GDPR, individuals will have the right to obtain:
- confirmation that their data is being processed;
- access to their personal data; and
- other supplementary information – this largely corresponds to the information that should be provided in a privacy notice
The Right to Rectification – An individual can request that any errors in the data be corrected. This must be done within one month
The Right to erasure – This is also known as ‘the right to be forgotten’. This is the data subject’s ( your client/supplier/ex employee etc.) right to be completely erased from your databases.
The Right to Restrict Processing – This is key for travel businesses and the impact it may have on marketing. Individuals have the right to to consent that you use their details to process bookings, but NOT to allow you to market to them.
Not only will you now have to ensure that your marketing is good ( to ensure clients want to stay opted in to receive it) but you must also ensure there is an easy way for them to opt out if they want to.
The Right to Data Portability. An individual may ask for his or her data in a format they can take elsewhere. This should be provided in a data readable format – the guidelines suggest providing in .csv format
The right to object. – The data subject ( your client) can object to how you are using the data, in which case, you must stop using it that way. It must be clear in both your privacy notice and your first communication with the individual how you intend to use the data, and that they have the right to object.
you need to take now
With only 8 months to go before GDPR becomes law ( and 5 of those months being the busiest months for travel businesses it is important that you start to take action NOW. Here are the steps that you will need to take:
- AUDIT YOU DATA – What information do you hold? Where and how is it stored? What security is in place? What are the processes in place for obtaining this data?
- ASSESS YOUR PROCEDURES AND PROCESSES – How are your clients and prospective clients being informed about how you collect and use information? Update website/trade show/ store walk in information gathering forms to ensure compliant.
- SET UP DATA RETRIEVAL PROCESSES
- SET UP PROCESSES TO DEAL WITH DATA ACCESS REQUESTS
- TALK TO YOUR TECHNOLOGY SUPPLIERS. IS YOUR CRM FIT FOR PURPOSE? Get written confirmation that your data processors will comply with GDPR
- CENTRALISE INFORMATION MANAGEMENT – If you don’t already use a CRM, consider introducing one as a means of centrally managing all your data. You will run many systems from booking systems to paper files and client phone numbers on telephone systems that you will need to document centrally so that records can be kept up to date
- ENSURE STORAGE IS SECURE WITH FIREWALLS, VIRUS MONITORING, STRONG PASSWORDS, ACCESS CONTROL
- CARRY OUT STAFF TRAINING – all your staff will need a general awareness of GDPR so that you can demonstrate that you have procedures in place to ensure data protection of your client data.
What is GDPR?
This is EU legislation that the UK government will continue post Brexit that means that from 25th May 2018 your travel business will need to comply with the regulations
This effectively gives control to individuals as to how and where their data is stored and how it is used. It gives them control of the data and you have to seek active permission to be able to use their data
Children cannot give informed consent so you will need to have consent from their parents / legal guardians to be able to process their data.
Passport details form part of ‘Personal Information’ that can be held with permission
Whether a photograph counts as personal information depends on how it is processed and used. According to the ICO, police photographing crowds to identify trouble-makers is personal information, a photo journalist photographing the same crowds to record the event is not personal information.
If you are using for marketing purposes – You will need to obtain confirmation of anyone attending and give them the right to be excluded or blurred out of the photograph
If you are a travel agent with a shop, it’s likely that you will want to capture the new lead that just happened to walk in to your shop. Gone are the days of just getting an email address and adding it to your database.
Converting your process to digital ( so that a client in store can still sign up digitally while in the shop will be a key process to implement to manage this consent chnage)