Are travel firms ready for GDPR data rules?

Data protection rules are changing from next year, leaving travel firms at risk of heavy fines and reputational damage if they breach GDPR.

Every travel business that handles personal data, including customer details and staff and supplier information, should now be focused on 25th May, 2018 in readiness for compliance with the EU’s new data protection rules.

General Data Protection Regulation (GDPR) aims to safeguard all EU citizens from privacy and data breaches regardless of whether the processing takes place in the EU or not.

It will transform the way that information is stored and managed, with companies now needing the explicit opt-in consent of clients or customers to hold their data. This must be achieved using clear and plain language, and it must be as easy to withdraw consent as it is to give it.

Sizeable penalties

Cyber attacks, such as the one that affected travel association ABTA earlier this year, are likely to result in much more draconian financial penalties. TalkTalk’s penalty of £400,000 for security failings that led to a cyber attack in 2015 would have been £37 million or more under GDPR.

That’s because infringements will trigger fines of up to 4% of annual global turnover or 20 million euros, whichever is higher. There will be a tiered approach, so a company can be fined 2% for not having their records in order, for example.

But the impact will be much more than just financial, with firms also suffering a loss of customer confidence if they are found to have breached GDPR.

Marketing tactics

For the travel industry, the rules will require a new approach to email and paper marketing as GDPR will stop automatic opt-ins and the use of implied consent. On the plus side, this means that those names remaining on databases will be the ones more receptive to targeted product and service offers.

Some firms will see other advantages, such as the opportunity to poach data if customers request their information is ported from one company to another.

UK firms need to remember that Brexit won’t stop GDPR, even though this is EU  legislation. The government has said it is committed to the changes, which also apply to non EU-companies who offer products and services in Europe.