Yes, it’s coming: Is your business ready for GDPR? 

This is a viewpoint from Steve Dobson, Director Information Security at The ATCORE Group.

Yes, it’s coming: the EU General Data Protection Regulation (GDPR) comes into effect on the 25th of May. That’s roughly three months from now. So if you’ve been avoiding the topic, now is the time to tackle it.

There has been a lot of talk about the new regulation. Advice is varied and, unsurprisingly, businesses are confused. Many customers have asked us what they need to do to prepare for GDPR. Below are six key questions we think travel businesses need to address if they are to be ready for the new legislation coming into effect in May. As you can see in Don’t delay — the fines are steep for non-compliance!

#1: What are the risks if I do nothing about GDPR?

The quick answer is you could get a hefty fine of £20,000,000 or 4% of global turnover, whichever is greater.

It is unlikely that many companies will be fined at the upper end of this new range in the early days of this legislation but still expect your insurance companies to start asking detailed questions about what you are doing to mitigate the risk of GDPR.

#2: Where do I begin?

Your business is expected to be able to demonstrate compliance through accountability. Proving accountability requires auditable evidence created through the application of appropriate organisational and technical measures.

You must start by identifying and documenting all information you hold concerning Data Subjects. A good way to do this is to implement the 4W approach:

What am I holding? Identify all personally identifiable information (PII).  This is typically items such as name and address, telephone numbers, date of birth and passport number.

Why am I holding it? If you don’t have a reason for holding data, consider getting rid of it.

Where is it held? This might, for instance, be in your reservation system, CRM system or just in copies of invoices in PDF format within the normal file structure of a disk drive.

Who is responsible for it? This is a key role in ensuring that rules are being followed when handling the data.

#3: What is data ‘protection by design and by default’?

A key requirement of GDPR is the implementation of data ‘protection by design and by default’. The legislation requires the demonstration of compliance through ‘Accountability’ which in turn is proven via ‘Appropriate Organisational and Technical Measures’.

It is the responsibility of a business’ Data Controller and Data Processor to ensure that they have implemented appropriate organisational measures. In addition, the Data Controller is responsible for ensuring that the Data Processor understands their responsibilities under the legislation and is taking appropriate measures to comply.

Appropriate organisational measures are all about policies and procedures. They cover everything from an Information Security Policy, a Change Management Procedure, Appropriate Technical Measures, Pseudonymisation and Encryption (and more).

You can find a glossary of these measures on the Information Commissioner’s Office (ICO) website, and we also detail them in our White Paper.

#4: What is ‘lawfulness of processing’?

In terms of lawful processing, there are three key areas travel businesses, in particular, should take note of:

Contracts. A contract, or information required to enter into a contract, are a lawful basis for the processing of personal information. A holiday booking constitutes a contract.

Legitimate interests, fraud. Protecting against fraud provides a legitimate interest approach to process personal information.

Consents. This is the catch-all to provide a basis for the legal processing of personal data. In essence, this is covered by the traditional tick box approach but there are some new caveats for example when asking for consent you can no longer have pre-ticked boxes and when recording consent, you must keep records of how this consent was gained.

Remember that the personal data can only be used for the purpose for which it was collected.

#5: How long can I hold data for?

You can keep data no longer than is necessary, and only for the purpose for which it was collected. There are two levels of data retention which affect travel businesses:

Contractual data. Contractual data must be retained for the purpose of fulfilling all aspects of the contract and may be extended based on legitimate interests such as fraud protection or as required by tax authorities.

Consent data. It is up to the Data Controller to define how long consent from a Data Subject can be maintained, but the legislation prevents open consent periods. Once the final data retention period has passed, any personal data must be anonymised or deleted.

#6: What are the rights of the Data Subject?

The Data Subject has the right to obtain confirmation about the processing of their personal data and a copy to be provided in a paper or a commonly used electronic form.

They also have the right of portability of their personal data.  It is expected that this will be an XML or similar data feed based on the same data as used within the right of access request.

Whilst data such as a booking itinerary would need to be included in this request, data concerning itinerary elements, such as a hotel description or photographs, which were not provided by the Data Subject, are not.

The Data Subject has the right to have incorrect personal data corrected and have incomplete personal data completed. Finally, they have the right to have their personal data erased, subject to conditions laid out in lawfulness of processing.

This is a viewpoint from Steve Dobson, Director Information Security at The ATCORE Group.

Opinions and views expressed by all guest contributors do not necessarily reflect those of tnooz, its writers, or its partners.

Photo by Kai Brame on Unsplash.

Share on FacebookTweet about this on TwitterShare on LinkedInEmail to someone

About the Writer :: Viewpoints

A founding principle of tnooz was a diversity of viewpoints from across the spectrum. Viewpoints are articles by guest contributors from around the travel and hospitality industries. The views expressed are the views and opinions of the author and do not reflect or represent the views of his employer, tnooz, its writers, or partners.



Your email address will not be published. Required fields are marked *

  1. John

    To start with GDPR is another one of those things that Europeans want to feel they are important like during the colonial era – if Singapore or ASEAN passed some kind of data protection act that didn’t allow companies to keep personal data or track people no one would be talking about it.

    Secondly it will be companies like the writer in the article who will be running all round trying to update their systems to comply whereas the real culprits won’t even do anything. For example when i connect my android phone to a wifi Google knows about where my phone is the details about the Wifi hotspot and all sorts of other information. They can track my behavior without me even switching on GPS or using Google Maps ( where the opt-out in feature for GDPR might be ). Secondly companies like doubleclick track user behavior using cookies and even though they might not store my name they pretty much have a profile built that knows who i am. To overcome this a popup would need to come every time a cookie is updated in the browser.

  2. Richard Bristow

    Excellent article. It is good to see a trade supplier put an expert of Steve’s experience in place. I have not seen any other software solution provider in the travel sector take GDPR so seriously. It is a surprise as the changes are so fundamental to customer relationships and operations.
    Fines could wipe out many companies !


Newsletter Subscription

Please subscribe now to Tnooz’s FREE daily newsletter.

This lively package of news and information from Tnooz’s web site provides a convenient digest of what’s happening in technology that drives the global travel, tourism and hospitality market.

  • Cancel