During the early months of 2018, travel companies across the EU were busy sending out emails to their customers urging them to sign up to continue receiving marketing messages from them.
The theme of these messages was usually along the lines of “We don’t want to lose you” or “Let’s stay in touch”, with links sending the consumer back to the brand’s website to effectively re-subscribe to marketing emails they may have been getting for years.
The reason for this blitz of email correspondence was to allow firms to comply with the EU’s new General Data Protection Regulations (GDPR), which came into force on May 25. GDPR has introduced more stringent data protection rules across Europe and is set to have global repercussions for the travel industry as well.
GDPR basically tightens the rules on how companies collect, manage and secure consumer data. This includes ensuring consumers give “explicit consent” to receive marketing messages – effectively ending the practice of having opt-out and pre-ticked boxes.
Security is also one of the major tenets of GDPR, with companies now having to alert the appropriate authorities of any data breach within 72 hours, as well as facing potentially eye-watering fines of up to €20 million or 4% of global turnover per breach.
While GDPR has been on the radar of most EU-based travel firms for at least a year or two, the issue of data security has now seeped into public consciousness with several high-profile cases: most notably the Facebook-Cambridge Analytica scandal when the political research firm was able to access the personal data of 87 million Facebook users.
The travel industry has not faced anything on this scale so far, but the dangers are there, particularly with travel firms collecting and storing significant amounts of data on their clients – for example: names, addresses, passport numbers, dates of birth, payment information, loyalty card details and even health information for some customers.
Complying with GDPR is not just an issue for EU-based travel companies; it can also have implications for firms based in other parts of the world.
Paul Stephen, chief executive of global digital marketing agency Sagittarius, says: “GDPR is not about the travel brand – it’s about the EU citizen and covers their rights as a person. It doesn’t matter whether you are based in the EU or not as a company; it’s about whether you are selling to EU citizens.
“Often, travel companies don’t know where their customers are based. So if you’re marketing to, or expecting to carry, EU citizens, you need to toe the line when it comes to GDPR.”
GDPR is being seen as setting a “new bar” in data protection regulations and similar new rules could eventually be introduced in other countries, particularly now data has become such a “hot” issue for politicians.
It’s worth noting that when Facebook chief executive Mark Zuckerberg appeared before two US congressional committees in April, politicians repeatedly asked him if he would extend GDPR’s consumer protections to cover US-based users. The US has generally had less stringent rules on data protection and security than in the EU, even before GDPR came into force.
“We are in a global world and the EU is setting the bar high – that could be good for the rest of the world,” adds Paul Stephen. “The US already has equivalents to most of the things included in GDPR but they are nowhere near as strict.”
Many commentators think there are good practical reasons for travel firms to follow the principles of GDPR, regardless of where they are based. Benefits include helping to improve the “trust” between brands and their customers, as well as encouraging new processes that enhance databases and improve the security and management of data.
Alexandra Cooke, an associate at London-based law firm Hamlins, says the key to complying with GDPR for travel firms is to be open with consumers. “It’s important and useful to explain to clients why you are holding that data,” she says.
“You need to be transparent so that consumers have trust in you,” she explains. “You have to be transparent about what data you are collecting, who you are giving it to and how you are keeping it secure.”
Cooke also questions the value of travel companies holding details of consumers who have not booked or made enquiries about a holiday for many years. “How useful are those people who have not been in contact for five or 10 years? Why do you need them in your database?” she adds.
“There are lots of people who think their database is sacred. But this is an opportunity to get that information streamlined and updated. It also allows you to get to know what your consumers think, and that has to be a good thing.”
Jeremy Tait, vice president of insight for cruise company Carnival UK, says that complying with GDPR should not prevent travel firms from making more of the data they continue to collect from clients.
“You have to have a policy so you can show you are looking after that data if the information officer comes calling – that’s just good governance,” he says. “The more GDPR-compliant data you can get, the better.”
Part of the reason that customer databases have been allowed to grow so large is the low cost of email marketing, adds Sagittarius’s Paul Stephen. “The costs were much higher in the days of direct mail marketing so you would be a lot more selective with your database,” he says.
“That financial pain has gone away because it’s so cheap to send emails to lots of people.”
Stephen adds that GDPR represents a chance to readdress this marketing issue and to improve relationships with customers who have a “genuine interest in your product or service”.
The high level of potential fines under GDPR has certainly grabbed the attention of EU-based travel businesses. But there are also compelling business benefits to complying with these requirements, even if your firm is not based in the EU, because now that consumers are more aware of how their data is being used, similar rules may be on their way in other parts of the world.