Yes, it’s coming: the EU General Data Protection Regulation (GDPR) comes into effect on the 25th of May. That’s roughly three months from now. So if you’ve been avoiding the topic, now is the time to tackle it.
There has been a lot of talk about the new regulation. Advice is varied and, unsurprisingly, businesses are confused. Many customers have asked us what they need to do to prepare for GDPR. Below are six key questions we think travel businesses need to address if they are to be ready for the new legislation coming into effect in May. As you can see in Don’t delay — the fines are steep for non-compliance!
#1: What are the risks if I do nothing about GDPR?
The quick answer is you could get a hefty fine of £20,000,000 or 4% of global turnover, whichever is greater.
It is unlikely that many companies will be fined at the upper end of this new range in the early days of this legislation but still expect your insurance companies to start asking detailed questions about what you are doing to mitigate the risk of GDPR.
#2: Where do I begin?
Your business is expected to be able to demonstrate compliance through accountability. Proving accountability requires auditable evidence created through the application of appropriate organisational and technical measures.
You must start by identifying and documenting all information you hold concerning Data Subjects. A good way to do this is to implement the 4W approach:
What am I holding? Identify all personally identifiable information (PII). This is typically items such as name and address, telephone numbers, date of birth and passport number.
Why am I holding it? If you don’t have a reason for holding data, consider getting rid of it.
Where is it held? This might, for instance, be in your reservation system, CRM system or just in copies of invoices in PDF format within the normal file structure of a disk drive.
Who is responsible for it? This is a key role in ensuring that rules are being followed when handling the data.
#3: What is data ‘protection by design and by default’?
A key requirement of GDPR is the implementation of data ‘protection by design and by default’. The legislation requires the demonstration of compliance through ‘Accountability’ which in turn is proven via ‘Appropriate Organisational and Technical Measures’.
It is the responsibility of a business’ Data Controller and Data Processor to ensure that they have implemented appropriate organisational measures. In addition, the Data Controller is responsible for ensuring that the Data Processor understands their responsibilities under the legislation and is taking appropriate measures to comply.
Appropriate organisational measures are all about policies and procedures. They cover everything from an Information Security Policy, a Change Management Procedure, Appropriate Technical Measures, Pseudonymisation and Encryption (and more).
You can find a glossary of these measures on the Information Commissioner’s Office (ICO) website, and we also detail them in our White Paper.
#4: What is ‘lawfulness of processing’?
In terms of lawful processing, there are three key areas travel businesses, in particular, should take note of:
Contracts. A contract, or information required to enter into a contract, are a lawful basis for the processing of personal information. A holiday booking constitutes a contract.
Legitimate interests, fraud. Protecting against fraud provides a legitimate interest approach to process personal information.
Consents. This is the catch-all to provide a basis for the legal processing of personal data. In essence, this is covered by the traditional tick box approach but there are some new caveats for example when asking for consent you can no longer have pre-ticked boxes and when recording consent, you must keep records of how this consent was gained.
Remember that the personal data can only be used for the purpose for which it was collected.
#5: How long can I hold data for?
You can keep data no longer than is necessary, and only for the purpose for which it was collected. There are two levels of data retention which affect travel businesses:
Contractual data. Contractual data must be retained for the purpose of fulfilling all aspects of the contract and may be extended based on legitimate interests such as fraud protection or as required by tax authorities.
Consent data. It is up to the Data Controller to define how long consent from a Data Subject can be maintained, but the legislation prevents open consent periods. Once the final data retention period has passed, any personal data must be anonymised or deleted.
#6: What are the rights of the Data Subject?
The Data Subject has the right to obtain confirmation about the processing of their personal data and a copy to be provided in a paper or a commonly used electronic form.
They also have the right of portability of their personal data. It is expected that this will be an XML or similar data feed based on the same data as used within the right of access request.
Whilst data such as a booking itinerary would need to be included in this request, data concerning itinerary elements, such as a hotel description or photographs, which were not provided by the Data Subject, are not.
The Data Subject has the right to have incorrect personal data corrected and have incomplete personal data completed. Finally, they have the right to have their personal data erased, subject to conditions laid out in lawfulness of processing.