The new EU 'citizen data' law that could topple your business if you're fined

Register for free to continue reading

Get unlimited access to the latest travel industry news and analysis, comment on articles and sign up to newsletters.
Register for free

Already registered? Login here or below.

Having difficulty logging in? Try these tips, or contact support@flymy.co.uk

The new EU 'citizen data' law that could topple your business if you're fined

As the debate over whether there will be a hard or soft Brexit rages on, one thing is certain - the EU’s General Data Protection Regulations (GDPR) are scheduled to come into force in May 2018, and non-compliance means business-threatening fines

EasyJet and BA have been the victims of hackers

This is a guest comment from Tamite Secure’s Richard Bristow. Sign up to receive TTG’s travel tech-focused newsletter for more expert analysis

The regulations will introduce a new emphasis on citizen rights, and in this case their rights to have their data protected.

While this is an EU law, it will apply to the UK before Brexit and is highly likely to remain as a replacement for all or the majority of our current data protection laws after Brexit. Even if they do not, companies that have dealing with EU based products and suppliers will need to comply.

In short, very few companies will not be affected by GDPR. The new regulations require that customer data is protected throughout the process a transaction and later retention in computer systems. If you retain a client’s name, address, financial details, for example and you share this with a supplier, it will be the originating systems (company) responsibility to protect and maintain the data in a secure and safe manner.

Fines are not only going up so significantly that they could impact a business’s survival, but they will be based on turnover, not revenue

There at 12 main steps that companies need to take now to start preparations for the introduction of the new regulations. PCI-DSS compliance is also closely linked to that of the GDPR.

For businesses in the service industry, such as travel, apart from the technical issues that need to be addressed in the GDPR the biggest issue is the huge increase in fines for non-compliance. The significant aspect is that fines are not only going up so significantly that they could impact a business’s survival but they will be based on turnover, not revenue.

While this is an EU law, it will apply to the UK before Brexit and is highly likely to remain as a replacement for all or the majority of our current data protection laws after Brexit.

Current estimates are that a fine for a data breach (a hack) will be 5%. For example, a small travel agency with a turnover of £2 million that gives a revenue £200,000, it would receive a fine of £100,00 for losing a client list or financial details to a third party.

Obviously, the effects on SMEs and enterprise-sized companies would be equally severe but possibly not fatal. To put it into perspective, if Talk Talk’s recent fine of £400,000 for not protecting clients’ data had happened with the GDPR in force, it would have been (arguably) £20 million.

From now on, businesses must take the GDPR very seriously and with it the need to protect their business data. Because, once it is in place, the consequences for a data breach will be game changing.

Richard Bristow is sales director at Tamite Secure

Technology