Every business that processes customer data must be General Data Protection Regulation (GDPR) compliant by May 25 next year, yet some companies will have more work to do than others. But with these precious few months left, rather than thinking this is some kind of “tick the boxes” exercise, audit your business effectively to comply, get a better picture of your customers, then show your customers, competitors and peers how you are embracing digital transformation.
Let’s take a quick look at what’s happening. We know GDPR is about giving customers greater control over their personal data, but closer to home in the UK the Protection Bill (DP Bill) was introduced on September 14; now it needs to pass through the House of Commons and the House of Lords before it becomes law. Why? Because, the Information Commissioner’s Office (ICO) believes GDPR gives countries limited opportunities to make provisions for how it applies in their country, so the DP Bill is the UK’s way of tailoring it to our needs. Once approved, it’s designed “to be read alongside GDPR”. Regarding the DP Bill, the government says it will:
- Make it simpler to withdraw consent for the use of personal data
- Allow people to ask for their personal data held by companies to be erased
- Enable parents and guardians to give consent for their child’s data to be used
- Require “explicit” consent to be necessary for processing sensitive personal data
- Expand the definition of “personal data” to include IP addresses, internet cookies and DNA
- Update and strengthen data protection law to reflect the changing nature and scope of the digital economy
- Make it easier and free for individuals to require an organisation to disclose the personal data it holds on them
- Make it easier for customers to move data between service providers
So back to travel – and let’s face it, it’s one sector that will really have its work cut out. OTAs deal with many supplier APIs and databases, so must be ready. And with the large amounts of cash flowing through the business, taking into account how they handle money, OTA should be particularly take note of how any maximum ICO fines will relate to a percentage of group turnover, and not revenue.
Can the location of where you store data matter? Absolutely, and with the very nature of our industry all about crossing boundaries, data storage is particularly relevant. If you hold the details of customers that reside in the EU, despite your company not being based in the EU – you will also fall under GDPR’s remit.
GDPR also requires companies consider appointing a data protection officer (DPO) – with individual countries able to decide whether to enforce this or not. Hungary, Germany and France for example, make this a legal requirement. The UK does not – but for larger travel companies it clearly makes sense.
With cloud computing on the rise, travel organisations increasingly find themselves storing data across the globe. Post Brexit, GDPR applies, but what of the EU’s relationships with other countries? When it comes to America, the EU-US Privacy Shield comes into play, and replaced the previous “safe harbour”agreement only last year. It will “protect the fundamental rights of Europeans when their personal data is transferred to US companies” – and importantly US companies have strict policies to adhere to when dealing with EU organisations. What happens after Brexit remains to be seen. Other data agreements are also reportedly being drawn up with Asian and Australia/New Zealand governments.
Meanwhile, for processing to be lawful under the GDPR, you need to identify a lawful basis before you can process personal data. So those email enquiries your company receives cannot be processed and the user’s details be stored in your database for future marketing activity. In August last year, Flybe was caught out, and fine £13,000, by the current regulation, as the ICO found that the airline had sent 3.3 million emails to people who had told them they didn’t want to receive marketing emails from the firm. The emails, sent in August 2016 by Flybe, with the title “Are your details correct?” advised recipients to amend out of date information, and update any marketing preferences. The email also said that by updating their preferences, people may be entered into a prize draw.
The ICO was not impressed, and its advice that you can only market to individuals if they consented to emails from you, or they are an existing customer who bought (or negotiated to buy) a similar product or service from you in the past, and you gave them a simple way to opt out both when you first collected their details and in every message you have sent, will be remain a cornerstone of GDPR.
Over to you
For those working in the travel industry, managing GDPR will require you to rethink how you do business. You will need to constantly manage and update your GDPR compliance regime. Refresh your systems, or with new systems think about “Privacy by design” techniques, so taking privacy into account throughout every step in the design and building phase.
Should you appoint a DPO? It’s a tough call, but don’t forget you can also appoint an existing employee internally, making sure they have a good understanding, and are prepared to keep up to date with a complex and ever evolving topic. Or you may engage an external person or consultancy. If you ever find yourself dealing with the ICO, you’ll be glad to have a DPO in place.
At a recent GDPR forum I attended, run by the Travel Technology Initiative (TTI), technology lawyer Dai Davis said the fundamental change with the GDPR is that the way to be fair with people’s data is by “ramming the legislation done consumers’ throats”. Conceptually it’s different: with the old legislation, you must comply with the principles; with GDPR, you must comply with the legislation,” he went on to say.
Think of GDPR as enforced digital transformation. It might be a bitter pill to swallow, but you’ll feel a whole lot better after doing so. Now you need to audit infrastructure, software, policies and procedures. At DataArt, we help businesses manage their data, often across different systems, and going forward GDPR will be as much about reading between the lines.
But you can turn GDPR into a positive. Show customers that you care, publish your GDPR work on your website. Many in the travel industry are still undergoing significant digital transformation, and this is a part of that.
By Charlotte Lamp Davies, Vice President, Travel & Hospitality DataArt UK
Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.