TTG - Travel Trade Gazette
For Smarter, Better, Fairer Travel
User Menu
Remember me

New to TTG?

Hello! You are viewing your 1 free guest article this week

Please log in or join now for free, immediate and unlimited access to our award-winning online content. Find out more...

Join us
Already a member? Log in here

Advisor: Keeping up-to-date with the personal data reforms

The regulations for handling and protecting personal data are being reformed. Asb law’s Debbie Venn explains the changes.


The regulations for handling and protecting personal data are being reformed. Asb law’s Debbie Venn explains the changes

Given the technological advances that have taken place since the introduction of the Data Protection Act nearly 20 years ago, reform of data protection legislation is somewhat overdue.

The General Data Protection Regulations (GDPRs) have been adopted by the European Parliament and as a result, will become law in the UK on May 25, 2018.

The GDPRs impose a vast number of new obligations on both data controllers and data processors, and seek to evolve and harmonise the approach to data protection throughout the European Union (EU).

This will be particularly important for travel businesses where there is a lot of personal and sensitive data being processed, both inside and outside of the EU.

What are the key provisions of the GDPRs?

The GDPRs will apply to all businesses that monitor behaviours or provide goods or services to individual residents in the EU. The GDPRs change a number of key areas of data protection legislation, including:

Consent: The consent required by data subjects under the GDPRs must be clear, affirmative, unambiguous and freely given.

This is to ensure that data subjects are aware of the legal basis for which the processing of their data is taking place. Consent should not be provided through pre-ticked boxes, and more transparency is required.

Data processors: For the first time, obligations will be imposed directly on data processors. This includes obligations regarding accountability, breach reporting, record keeping and data transfer.

Accountability: The GDPRs impose more obligations on data controllers to be accountable, with the introduction of compulsory appointments of data protection officers (where large-scale monitoring or processing takes place), data protection impact assessments and data protection by design.

Children: Specific provisions regarding children and the need for reasonable efforts to be taken to verify consent in relation to children will be introduced.

Individual rights: The timelines, process and exemptions in relation to subject access requests will change and new protections are to be introduced including the right to be forgotten, the introduction of data portability and new profiling measures.

Breach notification obligations: Data processors are obligated to notify any breach they become aware of to the data controller, and the data controller is obligated to report any breach they become aware of to the regulator (and in some cases the individuals concerned) within 72 hours of the breach arising.

What are the implications for non-compliance?

In addition to bad publicity and reputational damage, the GDPRs introduce significant fines for non-compliance. The fines adopt a two-tiered approach. The first tier, for less serious breaches (such as failure to keep the records), is up to 2% of the business’s global annual turnover or €10 million (whichever the greater).
The second tier is for more serious breaches (such as data transfers) and is up to 4% of the business’s global annual turnover or €20 million (whichever the greater). These fines are huge and businesses should take compliance seriously.

But what about Brexit?

The government has confirmed that as the UK will still be a member of the EU in May 2018, the UK will adopt the GDPRs as any other member would. This does not mean that the UK won’t amend data protection legislation following Brexit (although substantive change is unlikely), but it does mean that the GDPRs will become law in the UK from May 25, 2018.


How can businesses prepare?

Businesses need to act now with a pro-active approach to prepare for the GDPRs. Making data protection a priority and budgeting appropriately for the necessary changes is key. While not all of the guidance has been released, businesses can start preparing for the GDPRs by:

  • Creating awareness regarding the GDPRs and their implications throughout the business, making sure those employees handling personal data, such as HR teams and directors, are aware of the new requirements.
  • Auditing how personal data is collected, stored and managed, and making sure that the appropriate recording procedures are in place.
  • Reviewing technical and organisational measures, including administration and IT processes.
  • Reviewing the data protection policies in place to ensure the business has the following GDPR-compliant policies:
  • privacy policy;
  • data breach policy;
  • data retention and deletion policy;
  • internal data protection policy for staff;
  • subject access request policy.

The GDPRs will impose a number of new obligations on businesses with robust enforcement from May 2018. They also present a great opportunity to review and assess your approach to data protection and compliance.

Email and let us know your thoughts or leave a comment below
Please sign in to comment.

Our Next Events

Luxpo London

Luxpo London

TTG New to Cruise Festival

TTG New to Cruise Festival

TTG Luxury Travel Awards

TTG Luxury Travel Awards

TTG Top 50 Travel Agencies

TTG Top 50 Travel Agencies

TTG Travel Awards

TTG Travel Awards

TTG - Travel Trade Gazette
For Smarter, Better, Fairer Travel
TTG Media Limited.
Place of registration: England and Wales.
Company number 08723341.
Registered address: New Bridge Street House, 30-34 New Bridge Street, London EC4V 6BJ