‘D-day’ arrives for GDPR, but does the global travel sector understand it and is it fully prepared for its implications?

You may have seen the humorous posts on social media about how by making a list, checking it twice and finding out who’s naughty and nice that Santa Claus is in contravention of article four of the General Data Protection Regulation (EU) 2016/679. With a potential fine of as much as EUR20 million or 4% of global turnover, children may be going without presents for years to come! But in all seriousness, never since the Y2K millennium bug has one day been met with such global dread.


Summary:

  • New European General Data Protection Regulation (GDPR) comes into force today (25-May-2018) and companies have been scrambling to meet the terms of the new legislation;
  • It requires companies to have clearer and more robust processes in place when handling personal data relating to their customers, their staff or other persons who come into contact with their business;
  • A new key principle in GDPR is accountability – it’s no longer enough to comply with data protection laws, businesses must demonstrate how they meet the new regulation;
  • While it is a European Union regulation it has global ramifications as it actually impacts any business doing work or handling data on European citizens.

That day is today (25-May-2018) as the year-long deadline to comply with the legislation comes into effect. The new European General Data Protection Regulation (GDPR) requires companies to have clearer and more robust processes in place when handling personal data relating to their customers, their staff or other persons who come into contact with their business and will impact how businesses collect, use, manage and store their customers’ and employees’ personal data.

But the tougher data privacy rules do not just impact Europe, but any organisation handling personal information linked to EU residents. Anywhere across the world, if an airline flies a European citizen, an airport seeks personal details on a WiFi access request from a European citizen, or a hotel asks a European citizen to fill in their personal details, they have to meet with the new regulation, which can be pretty complex to interpret and has left many organisations troubled up to today’s deadline, as the significant number of privacy policy emails you would have received this week testifies.

Organisations now have six lawful bases for processing personal data: consent, contract, legal obligation, vital interests, public task or legitimate interest. It is ironic that a piece of legislation on our privacy has ultimately resulted in all these additional email messages telling us how privacy is so important to Business A, how Business B promises to store our personal data safely and how Business C says it will no longer push numerous marketing messages our way, unless, of course, we tick a box and agree to it.

While it is clear that we don’t have that precise 00:00 Doomsday scenario when it was feared technology would collapse like on the eve of the year 2000 and some scope will be offered to businesses to ensure they meet the new regulative criteria, GDPR is now here and businesses most comply or face hefty financial repercussions.

GDPR is particularly relevant to the travel industry where there are often multiple uses for data and multiple channels for collecting it too. Similarly, travel companies collect and share customer information with suppliers, often overseas, for booking purposes, so businesses also have had to review existing contracts with third-party suppliers.

A new key principle in GDPR is accountability – it’s no longer enough to comply with data protection laws, businesses must demonstrate how they meet the new regulation. It may be enough that breaches of the GDPR will affect an organisation’s brand through negative publicity, but it could also lead to criminal proceedings and the consequence of non-compliance those fines of up to EUR20,000,000 or 4% of annual turnover.

GDPR is described by the European Union as the most important change in data privacy regulation in 20 years and replaces the Data Protection Directive 95/46/EC, but many still see it as an evolution in the way that data is protected rather than a revolution and simply waking up to how the world has changed.

The Blue Swan Daily reported earlier this year that ABTA, the UK travel trade association for tour operators and travel agents was anticipating a rise in Travel Management Company (TMC) usage as company’s seek to protect the personal data of staff. The research, conducted for ABTA by Censuswide, looked at the steps businesses will take to protect staff’s data when travelling for work, with more than one in four (28%) saying that they would employ the services of a TMC and ensure all travel is booked only with agreed suppliers within the travel policy.

The hotel industry is particularly impacted by GDPR as they process personal and sensitive data on a large scale and considered among the most vulnerable to data threats. With personal data being supplied from many sources such as third-party booking systems and corporate websites, huge amounts of guest data and payment card transactions processed every day and a significant staff turnover there has been much they have been required to do to address the policies, procedures and technology that they use for handling personal data, and ensure that staff are fully aware of their obligations.

The plethora of emails about GDPR shows action is being taken, but surveys suggest that as many as 85% of European companies will not be fully GDPR compliant as of today’s deadline. A survey by French consultancy Capgemini says that British businesses are the most advanced and Swedish ones have the most work to do still, while a survey conducted by Britain’s Federation of Small Businesses estimates that complying with the rules will cost businesses in the country an average of GBP1,030.

While GDPR is about protecting our privacy, it is at the same time putting us at threat with cyber criminals taking advantage of the numerous legitimate messages from businesses on the matter to target email users through sophisticated phishing scams, cybersecurity experts have warned. Airbnb customers are among those who have fallen victim to the scam, where criminals send fake GDPR notices to customers asking them to confirm login or personal information via online links so that they can continue to use the service being provided.

What is clear is that while the GDPR compliance emails and unsolicited emails will stop, this story will continue to run. We will be watching closely to see how the travel industry is impacted by the new data protection legislation and perhaps uses it as an opportunity to build trustful relationships with customers and ultimately deliver a better, more personalised service.