Since 2018, the General Data Protection Regulations (GDPR) have governed how businesses collect, store, and transfer personal data. These regulations apply to businesses operating in most European countries – regardless of whether they are members of the EU. This includes travel agents and travel operators.
In this post we will outline some common GDPR challenges for travel agents and travel operators, and explore how you can ensure your travel business stays compliant.
Please note that regardless of the industry you work in, data protection will always be a complex issue. This post will provide a general overview of some of the key principles of GDPR for travel agents and tour operators. But for a thorough guide to your data protection obligations, please consult the Information Commissioner’s Office.
The Importance of Consent and Withdrawal
Under GDPR, you must obtain explicit consent to collect certain customer data, for every specific data use case. Most businesses do this via pop-ups on their website.
You cannot ever infer a customer’s consent. The customer must give it willingly, and in full understanding of exactly what they are consenting to.
Also, customers have the right to withdraw their consent at any point. This means you must make it as easy as possible for customers to change their preferences.
What is Personal Data for Travel Agents and Tour Operators?
GDPR regulates personal data. So, what constitutes personal data, for travel agents and tour operators?
In the travel industry, personal data might include:
- Passport details, including names, addresses, dates of birth, and biometric data.
- Contact details, including emails and phone numbers.
- Photos, and other identifying information.
- Financial details, payment and billing histories, and other forms of sensitive data.
Your employees’ data is also protected under GDPR. Your HR department should take appropriate care when collecting and storing employee details.
What Personal Data Should Travel Agents Be Collecting?
When obtaining customer consent for data collection, you must be completely open and unambiguous. You must tell your customers exactly what data you are collecting, and for what specific purpose you are collecting it.
If a customer consents to your using their data for one purpose, you cannot then use this data for a different purpose. For example, if a travel operator requests a customer’s email address so that they can send them some digital tickets, they cannot then use this same email address for marketing purposes. You would need to seek the customer’s consent separately before you could add them to a marketing mailing list.
You must only collect customer data that you really need. For example, an airline will need to know a customer’s passport number. The airport car park will not.
Can Travel Agents and Tour Operators Share Customer Data?
Tour operators and travel agents may make travel and accommodation arrangements on a customer’s behalf. For this, they may need to share certain personal details with other organisations.
Businesses are allowed to share personal data with other organisations under GDPR. But once again, you will first need the customer’s explicit consent before you share their data. Plus, you may only share necessary information, and you must only do so for specific purposes.
For example, if a travel agent shares a customer’s email address with a hotel, this hotel cannot then bombard this customer with marketing emails.
How To Store Customer Data Safely and Securely
You must ensure that any personal data you collect is stored as securely as possible. You probably have certain security measures in place already. Locks on doors, windows, and cabinets play a huge role in data security. Passwords, antivirus software, and firewalls can help protect your data from digital breaches.
It is also important to train your staff on certain cybersecurity principles. All staff members should know how to spot a suspicious email, for example.
How Long Should You Store Customer Data?
A robust, and enforced, data retention policy is critical for GDPR compliance.
Under GDPR, you should not store personal data for longer than you need to. For example, a hotel might collect contact details from a customer to keep them informed about their booking. Once the customer has checked out, then the hotel no longer needs this contact information. So technically, under GDPR, the hotel should then delete this customer data.
However, GDPR does not set strict timeframes for storing customer data. The wording of the regulations simply requires businesses to ensure “that the period for which the personal data are stored is limited to a strict minimum.”
To ensure you stay compliant, you should commit to regular content audits. Periodically, you should review the data you store, and assess whether or not you still need it based on the purpose for which you collected it. Needless to say, you should then delete any personal data you no longer need.
How to Deal With Data Breaches
Cybercriminals know that travel agents and travel operators store huge amounts of valuable customer data. Because of this, around 72% of SMEs in the travel sector have fallen victim to cyberattacks in recent years.
Be sure to read our full guide to cybersecurity for travel agents and tour operators. Our guide outlines the common cybersecurity risks for the travel sector, while detailing some key strategies for keeping your business safe.
Following a breach, you may need to provide evidence that you took sufficient measures to keep your customer data safe. If you fall victim to a cyberattack, a dedicated cyber insurance policy can provide cover for customer data loss, and for system breaches. So, as well as helping your business and your customers recover from a cyberattack, cyber insurance also plays a huge role in ensuring your business stays compliant with data protection regulations.
Find out more about our cyber insurance for businesses as well as our comprehensive insurance policies for travel agents and tour operators.
For more information, call us on 0207 977 7856 or email Nic.Wheele@JamesHallam.co.uk.