With less than four months to go until the General Data Protection Regulation (GDPR) comes into force, ABTA has reiterated that travel companies must begin preparations to meet the new regulations, if they haven’t already done so.

From May 25, the GDPR will affect how businesses collect, use, manage and store their customers’ and employees’ personal data. Many travel companies will already have processes and systems in place that go towards compliance with the new rules; however there will be some changes.

GDPR will require businesses to be more accountable, and have clearer and more robust processes in place when handling personal data relating to customers, staff and others whose personal data they deal with. This is particularly relevant for the travel industry where there are often multiple uses for data and multiple channels for collecting it too. Similarly, travel companies collect and share customer information with suppliers, often overseas, for booking purposes, so it’s vital that businesses review the contracts they have in place with third-party suppliers.

ABTA has recommended that, if businesses haven’t already done so, they need to get started with the following three steps as soon as possible: perform a review; understand the requirements; and collate relevant records.

Firstly businesses need to carry out a full audit of the data they hold and how they handle it, including how it’s collected, what it is used for and how it is stored securely. The travel association has produced a data protection audit spreadsheet with guidance which can help members in their preparations for the GDPR.

Next, businesses need to understand if their procedures for acquiring and processing data are robust enough to meet the more rigorous requirements of the GDPR. They need to consider what the legal basis is for processing relevant sets of data, as they will only be able to process personal data if it adheres to one of six lawful bases, such as the fact that the processing is necessary for the performance of a contract with the data subject. More information about each of the bases can be found on the ICO website.

Finally businesses need to update their privacy statements in order to be completely transparent with customers about how they use their data. They need to clearly inform individuals about the purposes of processing their data and what will happen to their data, keeping in mind all the additional details required under the GDPR.

Non-compliance with the new laws could result in fines of up to £17,000,000 or 4% of annual turnover. Other business implications for failing to adhere to these regulations could also include loss of goodwill, employee trust and negative publicity.

Simon Bunce, director of legal affairs for the association, said: “The GDPR is an evolution in the way that data is protected, rather than a revolution. The biggest priority now is knowing what GDPR means for their businesses and having the organisational capacity to start making changes in time for its introduction in May.

“We can expect everyone to demand higher levels of security and compliance following the introduction of the law and any perceived weakness in this area will damage trust. ABTA has been helping members prepare for the GDPR since Autumn 2016, raising awareness at regional meetings, developing dedicated events and creating materials which explain what steps they should be taking. We have also been pointing people to the ICO’s ‘12 steps to take’ guidance document.”

ABTA will be holding a number of one-day seminars on the regulatory changes occurring in 2018, including the GDPR, throughout the coming months. In addition to this, it’s Travel Law Seminar in May will provide legal updates for the travel industry across a two-day event.

Visit abta.com/events or for more information members can access specific resources on the new law via ABTA’s member zone.

twn Are you sure that you want to switch to desktop version?