GDPR: Recommendations for the Travel Industry

GDPR Mystifly Policy

In the last few weeks, your inbox may have seen a sudden rise in the number of emails from companies encouraging you to review their updated privacy policies. This move comes on the heels of the new General Data Protection Regulation (GDPR) that came into effect in the European Union (EU) on 25th May, 2018. The GDPR has been dubbed as the biggest shake up in data protection since the Data Protection Act of 1998. However, it is more of an ‘evolution’ in privacy regulation, rather than a ‘revolution’.

GDPR has been designed to foster transparency in how organizations handle personal data. It aims to put the authority of personal data back in the hands of the individual by empowering him/her with awareness. GDPR requires all organizations to assess the journey and management of personal data. This begins from how they collect data right up to its ultimate decay.

Aside from doing our bit at Mystifly, we’ve also put together key recommendations to help travel businesses move forward in the new GDPR world.

GDPR: The next piece in the puzzle

Data is arguably one of the most essential assets in any travel business. The very nature of the Travel Industry demands transaction of data. This data includes names, email addresses, bank details, and biometrics. The data gathered is leveraged to provide personalized travel experiences. However, many travel companies fear that GDPR will limit their options to drive personalization through Big Data and AI.

Jaspinder Singh, VP – Business Intelligence at Mystifly shared his take on the prevalent fear. “GDPR will not affect macro scale analytics with anonymised data. As long as the data is processed correctly and is not based on identifiable characteristics of an individual, personalization can still be achieved at a market level. However, a product designed to give individually personalized recommendations would require consent from its users.”

GDPR focuses on two main concepts – Consent and Security. An individual will have to provide his/her explicit consent for the collection, storage and utilization of data. The Travel Industry is no stranger to amassing a sea of data for business purposes. However, any intent on using personal data to identify and target a customer will require clear consent. This means, customers will need to have a clear understanding of the data collected and its purpose.

What is Personal Data?

According to the GDPR definition, ‘personal data’ is any information about a person that allows them to be identified directly or indirectly. The regulation lists examples such as name, identification number, location data, or some factors specific to the physical, cultural, or social identity of that person.

From the Travel Industry perspective, personal data could include the following types and sources of information –  name, ID, telephone numbers, location, cultural and social identity (race/ethnicity), photographs/videos, financial information, biometric data, children’s data, health records, and HR records.

GDPR Compliance – The Consequences

Depending on the severity of the breach and the clauses that have been violated, the penalties have been divided into two levels.

Upper Level: Failure to comply with GDPR policies can lead to the Information Commissioners Office (ICO) imposing a hefty fine of up to €20 million or 4% of the company’s global annual turnover of the previous financial year.

Lower Level: A fine of up to €10 million or 2% of the company’s global turnover of the financial year can be levied on the organization.

Where should travel businesses start?

The Travel Industry has a definite advantage – people always want to hear about holiday packages and travel offers.

Before we go any further, it is important for travel businesses to have well defined answers to the following questions:

What personal information do you set out to or already store? – This could include data such as name, address, telephone number and date of birth.

What purpose does it serve? – Does the data you collect serve as a gold mine or does it just accumulate space? If the data you collect does not serve a purpose, it may be best to do away with it.

Where do you house personal information? – Access and security of personal information depend heavily on where data is stored. As such it is important to be aware of where this information is stored.

Is a third party involved? – Will you be sharing this content with third party organizations (data processers)? If so, you will have to ensure that they are GDPR compliant. Additionally, customers must be informed that the information collected will be shared.

Key Recommendations for Travel Businesses

Review Existing Procedures and Process: Analyse if existing processes and documents are up to date. Review and update your website and any other information gathering forms to ensure GDPR compliance. Create a detailed inventory of data types. Each data set should be mapped end-to-end throughout the organization’s technology infrastructure.  This practice helps identify all physical and virtual places where that data is held. This includes data about customers, employees, and third-party suppliers or vendors.

Personal Information Audit: It is crucial to assess the what, why and where of the personal information you hold. Analyse the measures that are in place to keep the data secure.

Update your Privacy Policy to Ensure GDPR Compliance: Review your organization’s privacy policy and consent notices to ensure that they reflect GDPR policies. Make sure that all collected personal data is given to you under the consent of the data subject. Consent under GDPR requires clear affirmative action by the individual. Silence, pre-ticked boxes, or inactivity do not constitute consent. Furthermore, consent must be verifiable.

Set-up Processes to Deal with Data Subject Requests: Under GDPR, individuals have the right to access data pertaining to them. They can also obtain a copy of their personal data with supplemental information about the processing. Therefore, a functioning process to handle such requests made by clients is crucial.

Data Breach Notification: GDPR places a duty on all organizations to report certain types of data breach. You must ensure that they have the right internal procedures in place to detect, report and investigate a personal data breach.

Centralize Information Management: Consider introducing a CRM in your organization as a means of centrally managing all your data.

Review and Update Data Processor Agreements to Handle Liability: Review and revise legacy contracts to consider mandatory terms. Negotiate on apportionment of liability and consider adequacy of mechanisms for cross-border transfers. Controllers need to review selection criteria for processors and update contracts. Processors need to understand new obligations and assess impact.

Designate a Data Protection Officer (DPO): GDPR outlines specific organizations that must appoint a DPO. This includes public authorities (except for courts) and private organizations where the core activities require large-scale processing of sensitive data. EU or member-state law may require the designation of DPOs in other situations as well.

Ensure Storage is Secure with Firewalls: Re-evaluate the security measures that are in place. This includes virus monitoring and access control to safeguard personal information.

Carry out Staff Training: Create awareness of GDPR within the organisation. Gather consensus on the approach that needs to be taken, and information on the current practices to prepare a project plan. To emphasize its importance, the company leadership should drive GDPR awareness and preparedness.

 GDPR in the Travel Industry – Threat or Opportunity?

There has been a lot of chatter in the Travel Industry on the impact that the GDPR will have on travel businesses around the globe. While many view the regulation as a step in the right direction, there are some who perceive the GDPR to be a roadblock in the future of their business. So, is the GDPR a boon or a bane? The answer to that question may be subjective and may vary depending on how you perceive GDPR. Here are a few thoughts that will help you weigh in on the debate.

The GDPR is neither a threat nor an opportunity, it is a regulation.  It is a mandate that MUST be implemented if you are an organization that functions in or does business with people within the EU. GDPR intends to safeguard the interests of the people by providing them with greater authority over their personal information.

The data that travel businesses gather is mandatory in order to provide service.  Jaspinder mentions – “A lot of personal data collected as a part of servicing a booking for a traveler is a legal and operational requirement. Organizations need to maintain data privacy by default. These should serve as the guiding principles in their product offerings. Data security and privacy should be built into a company’s culture. Also, having control over data processors and those who have access to data within the organization is a good business process. Having a public data privacy culture would also help in building trust with the end customers. And in today’s economy that thrives on reputation, this will earn good dividends.” As long as data collected and maintained is within the legal bindings of GDPR and the integrity of the organization, GDPR would not prove to be a hassle. In fact, GDPR offers credibility to travel businesses that are well within its fold. This fosters trust in the eye of the traveler which could result in repeat business. 

GDPR serves as a double- edged sword. The cleaning up of a database would enable the segmentation of an audience based on their permission to be contacted. This could improve the open and conversion rate. However, this move could also result in decreased customer base and thereby reduced brand/product awareness.

At Mystifly, we believe that at the heart of exceptional customer experience is trust and security. We constantly strive to safeguard this. In compliance with GDPR standards, we’ve updated our Privacy Policy. This will help our customers understand the data we collect, why we collect it, and what we do with it.

For more information on the key changes and policies of the GDPR, we encourage you to review the complete guidelines, Here.