News

Data privacy regulators ‘will get more aggressive’

Europe’s General Data Protection Regulation (GDPR) will make regulators “more powerful and aggressive”, a leading data privacy expert has warned the travel industry.

Deloitte partner Peter Gooch, a specialist in data privacy, told a Travel Weekly Cyber Security Summit in London: “The impact of getting it wrong [under the GDPR] will go up significantly.

“Organisations will probably not be hit by big fines straight away, but the impact of getting things wrong will be much greater.”

He warned: “Regulators will get more powerful and aggressive post-2018.”

The GDPR will come into force on May 25 next year, harmonising data protection rules across the EU.

The regulation gives regulators the power to impose fines of up to 4% of global turnover or €20 million for “serious breaches”, whichever is the greater.

Gooch said: “It applies to all companies. You will have 72 hours to report a [data] breach, when at the moment travel businesses don’t have to report a breach.”

Only public sector bodies and telecoms companies in the UK must report data security breaches to the Information Commissioner’s Office (ICO), the UK regulator, at present.

Gooch suggested: “The ICO will be inundated.”

He warned: “Perhaps most scary, the regulator may make you go public [on a breach].”

Gooch said: “Consent is probably causing most challenges. Consent will have to be unambiguous – that means [users] actively opting in, not a tick box to opt out.

“If you don’t have that now you will have to go back and ask for consent [for data you already hold].”

He described this as “probably the single hardest thing commercially”, reporting: “One organisation I know of will lose £25 million a year [as a consequence] because probably only 10% of users will actively opt in.”

Gooch asked industry representatives at the summit: “Do you know where your customers’ personal data is? Do you know where and how it is being processed, and how long it is retained?

“One of the biggest changes is you will have to be actively demonstrate you are in compliance.”

He added: “How you use data can’t be hidden in legalise.”

Gooch said companies would need to balance “the risk of getting it wrong” on the regulations “against the risk of getting it wrong commercially”.

See more: 

Travel firms risk breaching GDPR rules on data

Opinion: You can’t afford to ignore GDPR, so what is it?

Share article

View Comments

Jacobs Media is honoured to be the recipient of the 2020 Queen's Award for Enterprise.

The highest official awards for UK businesses since being established by royal warrant in 1965. Read more.