The General Data Protection Regulation (GDPR), which replaces the Data Protection Directive 95/46/EC, starts from May 25, 2018 and will have a huge impact on every travel company. It is intended to harmonise data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way organisations approach this issue.

Speaking at the recent Travel Technology Initiative Summer Forum, travel professionals shared their views on how to best prepare...

Read the ICO website
Kuoni says it follows the Information Commissioner’s Office’s website (ico.org.uk) to review the recommendations and identify gaps in its current processes before working with key members of the business teams to prioritise changes to be made. Steve Taylor (pictured), development project manager, Kuoni, said its “Getting Ready for GDPR” progress tool has been helpful in creating a detailed checklist. He also highlighted law firm Bird & Bird’s GDPR guide as a useful reference – twobirds.com/en/hot-topics/general-data-protection-regulation

Look at company phones and other devices

Think about your staff and their devices, Steve Dobson, IT security director at Atcore, urged. For example: are your company’s devices regularly patched? Can you remote-wipe phones and tablets if they are lost or stolen? When staff members change roles, are their access rights reviewed and if someone leaves, is their access from all systems revoked?

Involve all your staff...
Progress is discussed at Kuoni’s UK board meetings and international business review meetings (“You need that buy-in at the highest level,” Taylor said) and staff are updated regularly via the intranet. “It is important to continually remind staff of their role in compliance – it isn’t just the IT department’s responsibility,” said Taylor. “We are making sure all staff are informed,” he said.

… as well as your suppliers
Keeping track of where data is stored and the whole data chain is vital. For example, Kuoni is engaging with suppliers, taking responsibility to ensure that they are aware of GDPR. “It doesn’t need to be a majorly complicated system, it just needs to be auditable,” said Trina Cotes (also pictured), strategic development director, Kuoni. Update your privacy policies Update privacy policies on your website, and ensure they are clear, concise and that consent functions are thoroughly tested so nothing is ambiguous. “Ensure all staff know what is expected of them – training, training and more training,” said Cotes.

Set up Privacy Impact Assessment templates

Kuoni has introduced Privacy Impact Assessment (PIA) templates to identify data that is in scope (these PIAs will be used to show compliance) and it is assisting third-party developers in their compliance. Taylor explained the logic of this “data protection by design” strategy: “Adding steps to compliance at the beginning will be far easier than retrofitting later.”

Rethink your email marketing

Phil O’Sullivan, marketing director, The Newmarket Group, said if you currently leverage enquirer and customer data as a revenue stream for future business, you are able to assume they’ve opted in: “If they’re buying a holiday from you, you can send them marketing emails so long as they have an unsubscribe option in them. With GDPR, you are not allowed to have automated opt-in… That is a colossal amount of revenue that could be lost overnight.”

Beware ‘ambulance chasers’

Atcore’s Dobson has predicted that legal firms will be “ambulance-chasing” to find people who have had their data breached. As a result, he said it was vital for travel firms to take organisational or security measures to ensure protection against unauthorised or unlawful access and be able to demonstrate compliance. These measures include training staff on GDPR and general information security (InfoSec) awareness, and the “Three Ws” – knowing what information you are holding, where it is held and who is responsible for it.