GDPR In The Travel Industry
The General Data Protection
Regulation 2016/679 is a regulation in EU law on data protection and privacy in
the European Union and the European Economic Area. It also addresses the
transfer of personal data outside the EU and EEA areas.
The purpose of GDPR is to give
people easier access to their personal data and give the companies clear
responsibility to obtain consent from the people whose information they
collect. Any data that can identify the person directly or indirectly is
personal data such as IDs/ passport details, contact information, HR records,
Payment information and such.
The GDPR enforces extremely
high penalties divided into two broad categories:
- Upper level – up to €20 million or 4
percent of total worldwide annual global revenue for the latest financial
year for major breaches. Compare this penalty amount with the
corresponding data breach in 2012, which can be considered a major
one as 1,163,996 debit and credit card records were stolen from a travel
agent. Back then, the fine amount was approximately $255,000.
- Lower level – up to €10 million or 2 percent of total worldwide annual global revenue for the latest financial year for smaller breaches.
- Consent must be freely given by the user by choice, informed and unambiguous.
- Companies must present the consent in clear and understandable language.
- Consent can’t be inferred from silence or choosing not to interact but given particularly to it. It needs to be different from the terms and conditions and must be an action taken to allow by the user.
- If you gather information about the user via cookies you should give
them the opportunity to accept or reject them.
- If the user changes their mind, they should be able to access setting to change their preferences.
- Personal data collected for one purpose cannot be used for another one
When it comes to the travel industry,
they use data such as sending it to hotels for accommodation bookings and to
airlines for flight bookings and it is the travel agencies responsibility to
secure the data that they send and make sure the companies they send it to explain
how they plan to secure this data to the travel agency and the individual whose
information is used. The travel agency may take the information and give it to
a third party in a secure form outside of the EU but if they are still
servicing a person in the EU then the GDPR laws apply to them.
If you run local tours and
activities and do not face European tourists regularly then you do not need a
Data Protection Officer but if you use any online travel portals or run a global
tours company that requires or takes personal data to market or to make bookings,
then it is a necessity to have a Data Protection Officer. There is no exception
for small or medium companies as well. A DPO could be an existing employee who
takes responsibility for the data, or the companies could hire an external
resource.
Ensuring that we enable Data breach
notifications is essential as it is our responsibility once we take their
personal data to secure it. Setting up the right procedures to effectively
detect, report and investigate personal data breach. According to GDPR companies
should report to Information Commissioners office within 72 hours. If the
breach can affect the peoples’ rights and freedom the individual must be
informed too. Since OTAs use personal information for airline bookings and
hotel bookings it is important to monitor breaches.
Giving access to the users’
personal data about them in settings so they can view what data about them is
collected and be allowed to turn on and off as per their consent. If the user requests,
then you should be ready to give the data categories collected and the copy of
actual data. If the user requests a copy of the data you’ve taken, then you
should be able to give the data to the user in a common format. If the data is
stored in a hotel monitor it should be portable to the common format like csv
or xlsx.
GDPR is a complex structure,
but all companies must support when operating in the EU. As GDPR affects all
travel industry operations it can be a good thing as it helps build trust with
the customers and improve customer loyalty with the travel company. They know
their data is protected and can be monitored according to their consent. If the
users understand the utilization of their data, they will be more likely to
provide more personal data for personalization and improve both the users and
the travel companies experience with each other. Hence, it is important that
travel companies understand and monitor their companies GDP Regulations.
Thank you for sharing a informative content. GDPR (General Data Protection Regulation) is a data protection and privacy rule under EU law that applies to European nations and the European Economic Area. It also handles personal data transfers outside of the EU and EEA. she clearly added the purpose of GDPR and how it helps to keep personal data secure Also mentioned how GDPR impacts all travel business operations and how this may be a good thing because it helps to increase consumer trust and loyalty with the travel company.
ReplyDeleteIt is really important to have a legal regulation that protects the customers data in this digital world. Some companies are irresponsible and reckless when it comes on handling customer data and many such cases have been reported where crucial data of consumers have been leaked. Now with GDPR companies have legal obligations on the way they use consumers data.
ReplyDelete