As Facebook stares the prospect of a hefty GDPR related fine in the face, the clock is also ticking for data hungry travel firms. For those still grappling with the challenges, here experts shares insights and tips

The Facebook-Cambridge Analytica furore this week has thrown the way companies handle data into even sharper relief, as time marches on to the May 25^th deadline when all companies will need to comply with the new EU Global Data Protection Regulation (GDPR). In fact, in just over two months all businesses will need to consider how their use of customer data will be made transparent, and not infringe an individual’s rights. And that is not the end of it; they will also need to maintain the security of that data everywhere it’s used.

Companies that don’t comply, and that includes Facebook, could face a maximum fine of up to £17m or 4% of global turnover. But, warns Keith Dewey, a GDPR whizz and cybersecurity expert who will be speaking at EyeforTravel’s London show, “the reputational damage and remediation costs after a breach could actually be a lot higher”.

There is a real opportunity to collaborate across industries to help develop adequate controls

Keith Dewey, GDPR and cybersecurity expert

Luckily, this has led many company executives to sit up and take note, and work has been underway to align with the legislation by May. As David Armstrong, CEO of Holiday Pirates, says: “Companies have a responsibility to keep the data they collect secure. Of course there is always a risk but it is important to minimise it as far as is possible.”

Holiday Pirates, which relies heavily on reaching customers via social media, has been working on GDPR compliance for months. Armstrong, who will also be speaking in London in June, is fairly confident that incidents, like those in the news this week, will happen less and less, thanks to the application of GDPR.

However, Dewey argues that there is still a real opportunity to collaborate across industries to help develop adequate controls.

Focus on travel

Travel companies, however, have specific challenges including the way that personal (customer and staff details) and special (health, biometric, race and so on) data is used for their processes and services. In addition, they need to consider how that data is shared with countries that may not have adequate data protection laws in place. “Many people love to escape to those remote destinations that just don’t operate to EU privacy standards,” Dewey explains, adding that another consideration for UK companies, “is whether they will have adequate protection laws after Brexit!”

Rajeev Shaunak is head of travel & tourism, at the accountancy, audit, tax & business advisory service at MHA MacIntyre Hudson, has also been considering the impact of the new GDPR regulation and advising firms on becoming compliant.

Data is often a travel company’s most valuable asset

As he points out, data is often a travel company’s most valuable asset. “Without a list of existing and past customers, travel companies can’t generate repeat customer sales,” he says.

As we know only too well, many operators hold extensive marketing databases of personal information, collected through bookings, administration, and on and offline marketing activities. This comes directly from individuals, and via intermediaries such as travel agents and travel search websites. And then there are user profiling and online tracking tools, such as cookies, which are also used to help better target marketing campaigns. 

GDPR requires companies to adopt adequate security controls for personal data too, and as standards improve this may reduce data losses and ‘card-not-present’ fraud in the future. But even this poses risks for travel companies. Says Dewey: “Individuals will still give away their own data to criminals, buy travel from fake intermediaries and fall foul of fake holidays.” he says.

Data protection on steroids

All this is driving a lot of governance work, including revised policies, training and assurance, which is time-consuming! “It’s a little like the current data protection laws, but on steroids,” comments Dewey. 

Indeed, a company’s ability to inform the ICO (information commissioner’s office) of a data breach within 72 hours of being alerted, and being able to respond to subject access requests within one month, can be a challenge, if there hasn’t been sufficient planning upfront!

Shaunak stresses: “Time is ticking; if companies haven’t already begun reviewing their data processing procedures, they must start now, especially as they will soon have the challenges of the new Package Travel Directive to contend with too.”

10 practical recommendations for companies:

1. Map where personal data is held, where it came from, who has access, what it is being used for, what is the lawful basis for that processing, and how its use is controlled.
    
2. Expand consent notices online and in brochures.
    
3. Explain the option to opt out of future marketing, when data might be collected, and exactly how it could be used to meet the new requirement for ‘clear affirmative action’, and an end to pre-ticked boxes and bundled consents.
    
4. Consider how best to signpost privacy notices.
    
5. Warn customers if data collected may be sent outside the European Economic Area (EEA), to Government Digital Service centres overseas for example, where data protection may not be as strong as within the EEA.
    
6. Ensure customers are aware of their right to demand full details of the information held on them. Unlike in the past, travel companies can no longer charge for providing this.
    
7. Understand that a company’s appointed data controller must notify privacy regulators and affected individuals in the event of certain data privacy breaches within 72 hours – and this can take time.
    
8.  Conduct a full data audit, and review data collection forms and privacy notices.
    
9. Demonstrate compliance to regulators on an ongoing basis and maintain records of data protection management. Details must include how long information is being retained for and consents held. Without consent companies may be expected to destroy information after the travel arrangements have been completed, provided there’s no contractual requirement for it.
    
10.  Re-examine processes and systems used to deal with data subjects rights, including new rights in relation to erasure of data, data portability and use of profiling, along with supplier arrangements with third parties such as hoteliers and airlines.

To hear more from Keith Dewey, who will be speaking on how to ‘Overcome GDPR - A Law in Full Force’ at EyeforTravel Europe 2018 and Holiday Pirates CEO David Armstrong, whose Day 2 keynote is about how to build a B2C brand without dependence on Google