Is the travel industry prepared? The answer is no. Recently a large travel organisation asked approximately 60 members, attending a financial event, if they had heard of GDPR and if they had did they plan to implement it. The result was that only five had.
This seems to be a representative sample from our experience. With only 12 months to go before it becomes law, GDPR could be having a big impact on businesses – in all sectors within travel – for all the wrong reasons.
Make no mistake, the new regulations are not here to help business. They have been specifically drawn up to protect consumer rights. To do so GDPR is designed to make businesses protect their client’s data, particularly their personal and financial information. The way to do that is by making commerce sit up and pay attention by imposing financial penalties that will make your eyes water.
Fines that Abta and Holiday Inn can expect for their recent data breaches will look like chicken feed. For example, for non-compliance with next year’s law a business can expect a fine of €10 million or 2% of turnover – whichever is the greater. If you then go on to lose customers’ data by internal or external factors such as loss or hacking, the fine increases €20 million or 4% of revenue – whichever is the greater.
Point-of-sale devices and large, often very badly defended, databases make travel firms such as tour operators, airlines, hotels and travel agents easy prey for cyber criminals. It is urgent that you take action to protect your customers’ data and your brand image.
Small businesses as well as large ones are in danger. In service industries such as travel, it is not only the amount that will cause an often-fatal financial burden, it is exacerbated by the fact that it is turnover-based, so the fine is in effect increased as your revenues are less than turnover.
So as the clock ticks, what do you do about it? There is a lot of work to do and it is often more complex that you might think. As a company, you should appoint a data protection officer (DPO) who is a senior manager and set about assessing your business data activities and systems to see in which areas you fail the GDPR requirements. The next step is to rectify the shortfall and to implement a new company data protection plan.
It may sound straightforward, but in practice is not so easy. For example, one of the prime new directives is “Forget me”. If a customer returns from holiday and says to you “take me off your mailing list” it sounds a simple request. However, if you have multiple lists or you restore a backed-up marketing database, that name could come back. If it does you are in breach of the GDPR. It might be a simple task but could take months of data mining to fix.
With such a short time left until the regulations start on May 26, 2018, and many companies making a standing start, it is vital to your business survival that you act now. Make sure you have a working committee acting under the guidance of a DPO. Involve and take advice from as many outside agencies as you can, such as the UK Information Commissioner’s Office, industry governing bodies and consultants. Make sure that your business processes and data protection software match the requirements.
Richard Bristow is a director at Tamite Secure IT