The EU’s General Data Protection Regulation (GDPR) comes into force in May 2018, drastically changing the rules about how businesses hold and use customer data. We’ve teamed up with Abta and Travlaw to put together a guide on what the changes mean and the action businesses need to take now to make sure they are compliant. Amie Keeley reports
What is GDPR?
The General Data Protection Regulation is being brought in to strengthen and unify data protection for all individuals within the EU. It will supersede the Data Protection Act 1998 and other data protection regulations.
The legislation will come into effect on May 25, 2018, regardless of Brexit. It has customer privacy at its heart and is widely regarded as much more robust than existing rules.
Organisations will have to keep records of all personal data, prove consent was given, show what it is being used for, how it is being protected, and how long it is kept for. Failure to comply could lead to a fine, which would be based on the turnover of the business.
Evolution not revolution
Despite the looming changes and scope of GDPR, travel businesses should not regard it as too onerous.
“Travel has a definite advantage over other industries because people want to hear about holidays and offers,” according to Farina Azam, a partner at Travlaw.
“The main reason for the law is to stop spam and data being passed on to third parties. It’s not to stop companies contacting customers about services they have provided in the past.”
Abta’s director of legal affairs, Simon Bunce, added: “It is being portrayed as big, scary and complicated, and a lot of companies might be tempted to put it off and hope it goes away, so we need to get people engaged.”
The Information Commissioner’s Office (ICO) is the UK regulator tasked with enforcing GDPR.
Bunce said: “The ICO describes it as an evolution rather than a revolution and I think that’s right. Businesses should [already] have a pretty robust system in place, so they should not be starting from zero.”
Audit your data
Carry out a data audit to establish what data you have, why you have it, what you want to do with it and what consent you obtained for it; was it explicit, implied or neither? (see Step Two).
Abta has a downloadable spreadsheet you can fill in to help you understand where you are meeting requirements, where you need to take action or where you do not know the answer.
The ICO also has a useful checklist on its website for companies to complete to assess how prepared they are for the
Capturing customer information to make a booking is a necessary part of providing the service to the customer and does not require explicit permission.
But if you want to use that data for something other than its original purpose, such as marketing or promotions, you may need to get clear consent.
Consent to use a customer’s data must be written or verbal and you must be able to show how consent was given and when – so keep a record of it.
Incorporate obtaining consent when you interact with your customers, such as when making a booking, or ask holiday reps to give out consent forms to sign with other paperwork.
If you need to contact your customers for consent, include multiple tick boxes for each type of consent you are seeking (marketing promotions, offers, travel advice etc) alongside a promotion before the law changes. Only contact those who have not complained about being contacted.
Consider seeking legal advice on the wording for the consent. For call centres, update your scripts to incorporate requests for consent.
Get as much explicit permission before considering other options (see box, bottom right).
Review who in your business has access to your company’s data and why. Consider restricting access.
Where do you keep it? Are hard copies locked away in a filing cabinet? What online security do you have in place? Is it secure?
Travel companies share customer information with suppliers all the time for booking purposes, so businesses must review the contracts they have in place with third-party suppliers. There is much more emphasis in the new law around what the ‘processor’ is doing with data from the ‘controller’ (see box, right).
Most airlines and hotels have an obligation to adhere to the new rules as it applies to them as well, but seek legal advice if needed.
Abta said it will be working with supplier groups to ensure work is going on across the supplier chain.
Could I get a huge fine?
There will be much more power for the regulator to take action against firms that do not comply. Fines will be up to €20 million or 4% of annual turnover, whichever is the greater, but only for the most serious breaches.
While you should assume there is more scope to increase fines across the board for smaller breaches, if you show you take privacy seriously and have taken the relevant steps to comply, you should not be hit with a huge fine.
Under the new rules, businesses also have a legal obligation to notify the ICO within 72 hours when there has been a data breach.
Do you have the right systems in place to detect a breach and are you able to identify what and who are affected? This is largely dependent on your IT systems, which should be reviewed.
In some circumstances you will also have to let customers know there has been a breach.
At the end of the process, you will end up with a valuable and relevant database with a better understanding of what your customers want to hear from you about.
Other permission points to consider
Soft Opt-In: This remains under the Privacy & Electronic Communications Regulations (PECR). If a customer has contacted you previously for a quote or to make a booking, it is assumed they will be happy for you contact them in relation to similar goods and services. However, it applies only to email and text marketing, and you must give the customer the opportunity to opt-out. Please note that PECR is currently under review so the position may change in the future.
Legitimate Interest: The GDPR mentions direct marketing as a possible ‘legitimate interest’. However, I’d be wary of relying on this in its entirety where companies don’t have the customer’s consent to contact them in this way. At best, I’d say a company could possibly rely on legitimate interest to contact customers for marketing purposes where they have only obtained implied consent for marketing communications.
Advice by Farina Azam, partner at Travlaw
Controller v processor
The ‘controller’ is the company that collects and owns the data and dictates what to do with it – for example, the agent.
The ‘processor’ is the company that uses the data to fulfil a service – for example, the airline or hotel.
The controller has greater liability, but the processor will have more responsibility than previously under the new regulations.
Data seminar in Manchester
Abta and Travlaw will host a seminar on Data Protection and Cyber Security in Travel on September 21 in Manchester.
Fee: £215 plus VAT for Abta members, £325 plus VAT for non-members.