Destination Directory

Understanding the New GDPR for Travel Companies

You may have heard rumblings about GDPR—General Data Protection Regulation—and wondered what exactly it is and whether it affects your business. Read on for a breakdown that shares what you really need to know.

GDPR went into effect on May 25, 2018. If you're a European Union citizen or company or are a non-EU company that offers goods and/or services or monitors the behavior of EU data subjects, this applies to you. Since you may not always know if a customer is an EU citizen, the better assumption is that it applies.

What's the goal? To introduce a single data protection law that increases privacy for individuals by enforcing stronger security rules for companies that handle personal data.

But what does it mean? The GDPR sets rules relating to the protection of people's fundamental rights and freedoms regarding the processing of personal data. Under the European Charter of Fundamental Rights Article 8(1), the protection of natural persons with regard to the processing of personal data is a fundamental right. Prior to the GDPR, this right was protected by the Data Protective Directive. The GDPR expands on the DPD and requires additional elements of protection.

Personal data includes anything that relates to someone's identity, specifically including name, email address, bank details, social media updates, medical history and computer IP address.

Under the GDPR, when is it OK for travel companies to collect personal data? It depends on three conditions:

  1. Allowable under legitimate legal basis.
    This covers collecting information in order to book the tour, make reservations and charge the customer.

  2. Obtaining consent.
    You need to obtain customer consent if you plan to use the data for later marketing or if you share their data with others.

  3. Public interest.
    The best example for travel companies in this category is health related: Should an epidemic or pandemic arise, there would be a public interest in determining who might have been exposed.

A travel company is allowed to retain personal data as long as there is a legitimate business interest. Therefore, consider revising your document retention policy.

CONSENT

When it comes to obtaining consent from your customers, be sure to have an intelligible and easily accessible form available. The GDPR requires customers to "opt in" to consent rather than having to "opt out." This form should be distinguishable from other matters and include clear and plain language as well as the right to withdraw consent at any time. This is an example consent form for an individual company:

gdpr-for-travel-companies-form
Photo courtesy of Jeff Ment.

For minors, the same rules apply and consent for children under 16 must be given by a parent or legal guardian.

Also worth noting: Under the GDPR, individuals have the right to be forgotten. If an individual requests that their data be scrubbed, you must comply unless there's a legal purpose for retaining the data.

If you have a contract with third parties, only disclose necessary data. The third party will be responsible for the data they handle and should destroy it when the legitimate purpose is complete. Should they want to use the data for marketing purposes, they would need to obtain their own consent. Note that it's unwise to take responsibility for third-party consent yourself.

The consent form should also link to the privacy policy that contains detailed information about how the customer's data is used, stored, et cetera, along with the following:

  • Identity and contact information of the business storing the data.
  • The purpose of the processing and the legal basis.
  • Recipients or categories of recipients of the data, if any.
  • The period for which data will be stored.
  • Right to access and erasure of data. (No charge.)
  • Right to withdraw consent at anytime.
  • Right to lodge a complaint.
  • Whether the data will be processed for any purpose other than for which it was collected.

Within the privacy policy, be sure to tell customers who you are, how their personal data will be collected, what type of information is collected, how it will be used and who has access to their information. Additionally, provide an option to opt out and detail how they can access their information.

STORAGE OF PERSONAL DATA

To be in compliance with stored personal data, you must keep a record of all current and existing data, how and when a customer provided consent, how their data is being protected—you'll want encryption and firewalls, how the data is being used, and monitoring protocols to avoid a breach.

What you can do right now:

  • Conduct a full audit of all data held, how it's handled and collected, what it's used for and how securely it's stored. You should be able to get this information from your web designer and you should work with them to ensure you know the answers to these questions. Also, ensure they understand GDPR and can comply.
  • Determine adjustments. What is the legal basis of the data currently held? Adjust procedures for obtaining and storing data as necessary; think about ease of access to destroy data if an individual exercises their right to be forgotten. Staff should also understand that personal data is now protected and should not be shared at will. Staff should only receive personal data necessary for their job and there should be a plan to destroy that data after necessary use.

If there's a serious breach? You must report it within 72 hours.

Be sure to describe the nature of the personal data breach including where, if possible; the categories and approximate number of data subjects concerned; and the categories and approximate number of personal data records concerned. Describe the likely consequences of the personal data breach and the measures taken or proposed by the controller to address the personal data breach including, where appropriate, measures to mitigate its possible adverse effects. Only notify individuals if the breach is considered "high-risk."

Penalties for noncompliance are steep: a fine up to $22.8 million (€20 million) or 4 percent of annual turnover, whichever is higher.

Information courtesy of Jeff Ment. To learn more, visit Ment Law.