In a panel discussion at the Elite Travel Group’s annual conference, which was held last weekend in Calvia, Mallorca, the issues surrounding the new data protection regulations were raised, with many agents confused on what needs to be done.

Simon Bunce, director of legal affairs at ABTA, told agents to ‘keep calm’ over the new regulations, which come into force in May next year, but warned that they should start thinking about how they are going to comply.

He said: “Don’t panic about the changes; nothing massive is going to happen on 18th May next year. However, you do need to start thinking how you are going to get ready for May because if you get hacked or a customer has an issue on the data you have on them– and the Independent Commissioner’s Office (ICO) sees that you haven’t taken any steps to try and comply, then you will have a problem.”

Bunce advised agents to check its model privacy guide - available on its website – as a starting point on how to prepare for the change. The guide offers a simple spreadsheet, breaking down the data into columns such as what data is held, who it is shared with and what security surrounds the data. He said: “If you can fill in the spreadsheet with no issues, then you’re heading in the right direction, but if there are gaps in it, for example, when it asks how long you keep the data for – and you’re answering ‘forever’, then you will need to start changing your systems.

“The regulation is about giving consumers more information about what companies are doing with their data. The aim of the ICO is what they call ‘surprise minimisation’, meaning that your clients should not be surprised about what you are doing with the information you hold on them.

“So whenever you take the data from a client, make sure you tell them what you are doing with it and why.”

According to Bunce, the real headache for agents is the information held on emails and he warned attendees that even if they delete an email – and then delete it from the trash – it still goes somewhere, and that companies needed to think about how they store and file their data.

He said: “It is up to agencies to ensure that the information they have deleted is gone for good. The really tricky bit is how you manage those emails. An auto-deleting tool for emails could become a necessity, as well as outsourcing this task to an IT company.

“The good thing about this new directive is that your third party IT suppliers are also liable to comply with the new regulations, so you can start working this into your contracts with them.”

Delegates also learned that standards of data protection differ in countries outside of the European Union. So, for example, an agent sending their client’s details to a hotel in South Africa isn’t responsible for what happens to that data at the other end. They are obliged to tell their clients that they are sending the information on, but what that company then does with the data isn’t then their responsibility.

Bunce said: “Your privacy statement should state something along the lines of ‘standards of security around data differ once you get outside the EU’ – and the customer will understand this. As long as you’ve done what you’re supposed to do, you’ll be okay.

“With regards to direct marketing, as long as you state in your privacy statement something along the lines of ‘if you go on holiday with us we will send you offers we think you may be interested in’ and as long as you give them a very clear way of opting out of this – for example a clear ‘Unsubscribe’ button on your emails, then I am confident that you can market to your clients.”

twn Are you sure that you want to switch to desktop version?