With less than four months to go until the General Data Protection Regulation (GDPR) comes into force, ABTA has reiterated that travel companies must begin preparations to meet the new regulations, if they haven’t already done so.
From 25 May this year, the GDPR will affect how businesses collect, use, manage and store their customers’ and employees’ personal data. Many travel companies will already have processes and systems in place that go a long way towards compliance with the new rules. However, some things will change.
The GDPR will require businesses to be more accountable, and have clearer and more robust processes in place when handling personal data relating to customers, staff and others whose personal data they deal with. This is particularly important for the travel industry where there are often multiple uses for data and multiple channels for collecting it too. Similarly, travel companies collect and share customer information with suppliers, often overseas, for booking purposes, so it’s vital that businesses must review the contracts they have in place with third-party suppliers.
If they haven’t already done so, businesses need to get started with the following three steps as soon as possible: perform a Review, understand the Requirements and collate Relevant records.
First and foremost, businesses need to carry out a full audit of the data they hold and how they handle it – including how it’s collected, what it is used for and how it is stored securely. ABTA has produced a data protection audit spreadsheet with guidance which can help Members in their preparations for the GDPR.
Next, they need to understand if their procedures for acquiring and processing data are robust enough to meet the more rigorous requirements of the GDPR. Businesses need to consider what the legal basis is for processing relevant sets of data, as they will only be able to process personal data if it adheres to one of six lawful bases, such as the fact that the processing is necessary for the performance of a contract with the data subject. More information about each of the bases are on the ICO website.
Businesses need to update their privacy statements in order to be completely transparent with customers about how they use their data. They need to clearly inform individuals about the purposes of processing their data and what will happen to their data, and bear in mind all the additional details required under the GDPR.
Non-compliance with the new laws could result in fines of up to £17,000,000, or 4% of annual turnover, as well as having other business impacts such as loss of goodwill, employee trust and negative publicity.
Simon Bunce, Director of Legal Affairs said: “The GDPR is an evolution in the way that data is protected, rather than a revolution. The biggest priority now is knowing what GDPR means for their businesses and having the organisational capacity to start making changes in time for its introduction in May.
“We can expect everyone to demand higher levels of security and compliance following the introduction of the law and any perceived weakness in this area will damage trust. ABTA has been helping Members prepare for the GDPR since Autumn 2016, raising awareness at regional meetings, developing dedicated events and creating materials which explain what steps they should be taking. We have also been pointing people towards the ICO’s ‘12 steps to take’ guidance document.”
Rhys Griffiths, partner & head of travel regulation at Fieldfisher, and moderator at ABTA’s Data Protection and Cyber Security in Travel seminar today, comments: “One new key principle in the GDPR is accountability – it's no longer enough to comply with data protection laws, businesses must demonstrate how they meet the new regulation.
It's not too late to make these changes to help your business be compliant with the GDPR and those which have processes and policies in place to adhere with the Data Protection Act will find that there is a lot of existing resource which can be re-utilised for GDPR compliance purposes. It’s also important to remember it will be an ongoing process, rather than a race to the 25th May.”
ABTA will be holding a number of one-day seminars on regulatory changes occurring in 2018, which will include the GDPR, throughout the coming months. In addition to this, ABTA’s Travel Law Seminar in May will provide the essential legal update for the travel industry across a 2-day event. Please visit abta.com/events for more information.
It’s likely that the final Package Travel Regulations will be published in May – less than two months before they are due to come into force in July. So it’s important that businesses take the opportunity to get ready for the GDPR in advance of May – otherwise they will be leaving themselves with little time to prepare for both.