Abta is warning travel companies to be prepared for the General Data Protection Regulation (GDPR), which comes into force in less than four months.
From May 25, the GDPR will affect how businesses collect, use, manage and store customer and employee personal data. The GDPR will require businesses to be more accountable and have clearer and more robust processes in place when handling personal data relating to customers, staff and others.
Abta says GDPR will particularly affect the travel industry, which has multiple uses for data and multiple channels for collecting it. Travel companies collect and share customer information with suppliers, often overseas, for booking purposes and the association says it is “vital that businesses review the contracts they have in place with third-party suppliers”.
A spokesperson added: “If they haven’t already done so, businesses need to get started with the following three steps as soon as possible: Perform a Review, understand the Requirements and collate Relevant records.”
Abta advises a full audit of the data held and how it is handled. It has produced a data protection audit spread sheet with guidance to help members. It adds: “They need to understand if their procedures for acquiring and processing data are robust enough to meet the more rigorous requirements of the GDPR.
“Businesses need to consider what the legal basis is for processing relevant sets of data, as they will only be able to process personal data if it adheres to one of six lawful bases, such as when processing is necessary for the performance of a contract.”
It adds: “Businesses need to update their privacy statements in order to be completely transparent with customers about how they use their data.”
Non-compliance with the new laws could result in fines of up to £17,000,000, or 4% of annual turnover.
Simon Bunce, Abta’s director of legal affairs said: “The GDPR is an evolution in the way that data is protected, rather than a revolution. The biggest priority now is knowing what GDPR means for their businesses and having the organisational capacity to start making changes in time for its introduction in May.”
Rhys Griffiths, partner & head of travel regulation at law firm Fieldfisher, added: “One new key principle in the GDPR is accountability – it’s no longer enough to comply with data protection laws, businesses must demonstrate how they meet the new regulation.”