Travel firms risk breaching new EU data-protection rules due to come into force next May and should question the data they hold on customers.
The EU General Data Protection Regulation (GDPR) places a raft of new requirements on businesses, with a tariff of fines for beaches far in excess of any imposed up to now. It comes into force on May 25 next year.
Lawyer Matthew Pryke of legal firm Hamlins warned that regulators “will be geared up to make examples” of businesses.
And he advised companies to consider reducing the data they retain on customers, arguing: “It brings to the business.”
He told an Abta Travel Law Seminar in London: “How much data do you need to share, and how long do you need it? You can reduce that.
“We want information – the idea is data is valuable. We expect it to make for better analysis and that there will be more we can do with it.
“But most of the time, most data collected is not relevant. Balance that against the risk.”
Pryke revealed details of a UK survey suggesting most businesses (70%) are aware of the GDPR, but 73% have yet to allocate any budget to compliance, while one in ten (11%) did not consider non-compliance a risk.
He pointed out the fines for a major breach of the regulations had been set at €20 million or 4% of global turnover. “That is per breach.” he said.
Telecommunications firm TalkTalk suffered a well-publicised data breach in late 2015 and was fined £400,000 under the current regulatory regime in the UK.
Pryke said: “TalkTalk had numerous breaches.” He warned: “Your requirements to comply are in no way lessoned because you are a small or medium-size company.”
He added that the UK regulator, the Information Commissioner’s Office (ICO), would lose a source of funding under the GDPR as this would remove the requirement on businesses to pay an annual registration fee.
Pryke said: “The ICO is likely to replace that income with fines. In my view, the ICO will be geared up to make a number of examples [of businesses] very early on.”
He argued businesses should allocate a budget and time to comply, audit the data they hold in relation to consumers and suppliers, appoint a data protection officer and assess their marketing strategy.
“If you don’t have a data protection officer it will leave you exposed,” he said.
“It does not matter whether you are located in the EU, if you do business in the EU you will be caught.”
GDPR rules include an expansion of the definition of personal data, “numerous enhanced rights for individuals” and “massive changes to the consent regime”, along with a “mandatory obligation to notify [the relevant authority] if you have a breach”, he said.
“If you are not in compliance and you have not notified, you are in breach.”