All travel businesses should be able to demonstrate they are acting to comply with Europe’s General Data Protection Regulation (GDPR) by the end of this week, but many appear unprepared for the rules which come into force on Friday.

Alexandra Cooke, associate lawyer at legal firm Hamlins, said: “Some [businesses] are panicking, some are taking it in their stride, some are ignoring it.”

Cooke told an Abta Travel Law Seminar in London on Tuesday: “The increased fines [for a data breach] could potentially bankrupt a company.” But she said: “Organisations don’t understand their database, why they are keeping data or what data is personal. Most of our clients say they keep data indefinitely – that will no longer be OK – and most don’t keep data securely.”

The UK Federation of Small Businesses reported in March that almost one in five of its members were unaware the new rules were coming in. Yet the regulation applies to all personal or ‘sensitive’ information and to its ‘processing’, which includes the storage and transmission of data.

Travlaw lawyer Luke Golding told an earlier Abta Seminar on GDPR compliance this month: “It means almost any use.” He warned the requirement to demonstrate compliance “has the potential to trip up a lot of organisations”.

His colleague, Travlaw partner Farina Azam, said: “Processing will be legal where it is necessary for the performance of a contract or to take steps to enter the contract.”

But she warned: “If you collect data for a booking, you can’t use it for another purpose. The less data you hold, the better. Ask yourself ‘do you need it?’”

Concerns among businesses appear to have risen as the GDPR deadline nears. The Institute of Directors this month reported a fall in the proportion of business leaders confident their organisations would comply in time, with just 16% declaring “a high degree of confidence” in their company’s preparations compared with 43% last August.

The institute warned that smaller businesses found it difficult “to digest the scale of the changes”.

Part of the problem has been a delay by the UK regulator, the Information Commissioner’s Office (ICO), in issuing advice. Lawyers are still awaiting guidance on some aspects of the GDPR.

Jo Kolatsis, partner at Hill Dickinson, said: “The ICO has been slack in sending out guidance, but it has confirmed it will take a light-touch approach while everyone gets used to this.” Cooke said: “It’s important you have a paper trail and document everything you do.” She advised using Abta’s website guidance to carry out an audit.

At a glance: What is GDPR

• The GDPR is an EU regulation, but its standards are likely to be adopted worldwide since any organisation handling the personal information of EU citizens will be required to adhere to it.
• The rules run to more than 200 pages. They require an organisation to be transparent about how it collects, stores and processes personal data.
• Organisations must obtain unambiguous consent to use and retain data; keep it up to date; and delete old data.
• Consumers will be able to ask for the information companies hold about them and request it be deleted.
• A UK Data Protection Bill will supplement and in some cases extend GDPR’s reach.