2018 is in full bloom which means that we’re one step closer to the introduction of the European Union’s General Data Protection Regulation (GDPR). Set to come into force in May 2018, the GDPR is a comprehensive, 88-page-long document with 99 articles that has most EU businesses shaking in their boots. But don’t worry, preparing for the upcoming regulation before it’s put into practice will make it less scary than it sounds!
So, what is the GDPR?
Due to 20+ years of continuous technological advancements, a review of the EU’s current laws on data protection was much needed. The GDPR is basically an up to date version of the 1995 Data Protection Directive and the subsequent 1998 Data Protection Act, designed to further strengthen the rights of the individual when it comes to any personal information that is being held about them. That includes their name, telephone number, postal address, e-mail address and even less obvious personal data like their IP address. Think data protection as we know it x 1000.
What are the requirements?
The GDPR requires EU businesses to follow seven principles when it comes to processing personal data. These principles state that data must be:
- Processed in clear, understanding terms with the data subject’s consent;
- Only used for the intended reason, and not for any reason that the data subject has not consented to;
- Relevant to the reason for processing, without collecting more data than needed to fulfil your obligation to the data subject;
- Up to date and accurate;
- Kept for only as long as is necessary;
- Kept safe and secure;
- Stored in a way that proves that these principles are being adhered to.
On top of these principles, the GDPR also introduces several rights which will enable data subjects to manage their personal information as they see fit. This means that data subjects will be able to access, rectify, erase, restrict and/or object to the processing of their personal data at any given time.
Even though the principles and rights outlined in the GDPR are pretty reasonable, they place pressure on EU businesses to review and update their processes before the timer runs out.
But what does the GDPR mean for travel brands?
From identification, passport details and payment information to marketing lists, preferences and travel patterns, those that operate in the travel sector collect all kinds of sensitive data that must now be made GDPR compliant.
Making sure that your business complies with this regulation will require you to conduct an internal audit of all the personal data that you currently hold, and reference it to the seven principles established in the GDPR, as well as the rights of the data subject.
We’re all guilty of saving little pieces of information that we think may help us at a later date, so it’s key to understand what data we hold and more importantly, why we hold it, how long we keep hold of it for and whether or not we have permission from the data subject to do so. Can the data subject easily access it? Where is it stored? Are there sufficient security measures in place to protect the data from a breach? These are all things that travel brands must consider when preparing for the GDPR.
The next step is getting all of this information documented. This will involve reviewing and updating processes, procedures, privacy notices, terms and conditions and contracts with third party suppliers such as airlines, hotels and technology providers like ourselves. Rest assured, we’re en route to GDPR-compliance as we speak!
The GDPR also applies to employees, so businesses must review employment contracts, company handbooks and internal HR processes in the same way.
Will not acting in accordance with the GDPR have any implications?
In the event of a breach of a personal data, businesses must inform the data subject affected, as well as the appointed supervisory authority, describing the extent of the breach, measures taken to avoid it from happening, how it occurred and its likely impact.
Like most legislation, non-compliance with the GDPR will come with a hefty penalty – we’re talking up to 4% of your businesses annual turnover hefty.