How GDPR will impact the travel sector

In the last few months, GDPR has become one of marketing’s hottest topics, with almost every organisation - travel brands included - asking how the new data protection regulation is going to affect their business.

At the moment there is a lot of confusion about how GDPR can be successfully implemented and the ramifications it will have upon the travel sector. So, to provide some useful and much-needed guidance, we got in touch with Claire Mulligan, a partner at global law firm Kennedys.

We caught up with Claire after a recent presentation she gave on GDPR and took the opportunity to ask her some important questions.

At a recent Travel Trends event you spoke briefly about the difference between personal data and corporate data - what is the difference between the two and how they will be regulated under the GDPR?

The legal definition of GDPR is, I am afraid, quite ‘clunky’!

Personal data is defined within the GDPR as: “any information relating to an identified or identifiable natural person (‘data subject’). An identifiable natural person is a person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, such as National Insurance number, address, email address, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

The GDPR applies to the processing of personal data by:

(a) organisations established or operating within the EU; and

(b) organisations outside the EU that:

(i) offer goods and services to; or

(ii) monitor the behaviour of individuals within the EU. It is important to note that data controllers/processors need no longer be physically located within the EU to be caught.

Corporate data (which is not a legal term, but which might include information about a company, rather than a person, for example) is not covered by GDPR.

What is the best way for organisations to begin preparing for GDPR?

A critical first step will be to conduct an internal audit of all personal data processing undertaken by your organisation (‘data mapping’) and your associated policies and procedures around this activity. This should include considerations such as understanding what types of data you collect (process), why you collect it, how you collect and use it, how you store it, what security measures you apply to it, and how long you retain it etc. You will need to fully understand your data processing activities before you can begin to work out how to comply with GDPR.

Other key considerations for the travel sector will include (but are not limited to):

• reviewing your legal bases for processing (i.e. understanding the purpose(s) for which your organisation uses personal data and ensuring you are complying with one of the lawful processing conditions in doing so);
• updating your organisation’s privacy notices in line with the new higher standards;
• determining whether your organisation will be required (for it is mandatory, in some cases) to appoint a Data Protection Officer or whether it would be advisable for your organisation to do so (based on assessment on the types and volume of personal data you process);
• and reviewing all data transfer/sharing arrangements your organisation has in place to ensure that, among other things, you have appropriate contracts (in most cases now mandatory) in place governing those arrangements and the respective rights, obligations and liabilities of the relevant parties.

GDPR has introduced a new principle of ‘accountability’, which in essence requires organisations to be able to demonstrate compliance with the new regulations. Documenting the fact and results of your data audit and related processes is one method of demonstrating your organisation’s compliance with this principle.

The UK Information Commissioner’s Office (ICO) provides helpful guidance on its website, including an overview of the new regulations, an introductory ‘12 steps’ guide and specific guidance regarding certain aspects of the reforms.

Many travel companies are finding it difficult to draw the line between data obtained via informed consent and data obtained via legitimate interest. Could you clarify the differences between these two concepts?

Consent and legitimate interest are two of the lawful processing conditions (i.e. two of the legal bases upon which you may process personal data) under GDPR. Another basis pertinent to the travel sector might be the performance of a contract between your organisation and the data subject (e.g. administering travel bookings). Understanding why you process data and ensuring you do so only in accordance with one or more lawful processing conditions is critical.

If you are relying on consent, GDPR will require you to review your consent mechanisms to ensure they meet the new, higher standards. If, for example, you cannot demonstrate that consent has been given to each and every one of your data processing activities, you may need to obtain fresh consent for all/certain activities, find an alternative basis upon which to process the personal data (e.g. legitimate interest) or cease processing altogether. It is important to note that the concept of consent has itself been enhanced (the requirement that consent be ‘informed’, as you mention in your question, is just one aspect) and can also be withdrawn at any time.

Reliance on the legitimate interest condition will require (among other things) an assessment of your organisation’s interest in processing the data as against the reasonable expectations of the individual concerned – would that individual reasonably expect you to be processing their data for a particular purpose, for example?

If an organisation fails to comply with GDPR, what penalties will they face?

GDPR implements significantly higher penalties, including, at worst, administrative fines of up to €20,000,000 or 4% of total worldwide annual turnover, whichever is the greater. Whilst preparation for the reforms will initially be costly to businesses in terms of human resource, failure to comply is set to become prohibitively expensive. Businesses should already be securing management approval and budgeting accordingly.

The fine however is the maximum and high fines are not expected to be the norm.

Elizabeth Denham, the Information Commissioner, said in August this year: “Thinking that GDPR is about crippling financial punishment misses the point. It’s true we’ll have the power to impose fines much bigger than the £500,000 limit the Data Protection Act allows us… But it’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that the maximum fine will become the norm.”

Because there is much talk focused on the level of fine, many companies have perhaps lost sight of the fact that there are a number of pro-active steps that you can take. These steps can reduce the amount of fine imposed and it might even help you to avoid a fine altogether.

The latter is because a regulator is also empowered with corrective powers under GDPR. For instance, a regulator can issue a reprimand where the provisions of GDPR have been infringed; alternatively, the regulator can issue an order that certain actions (which have led to an infringement of GDPR) be corrected within a certain time.

Penalties will only be imposed in addition to or instead of the regulatory corrective powers.

Are there any circumstances where GDPR does not apply?

There are limited exemptions from GDPR, but there is scope for certain relaxations in the case of Member State derogations and in respect of micro and small and medium enterprises (SMEs) (in relation to record-keeping, for example). The ICO has set up a helpline targeted at SMEs and charitable organisations, the details of which can be found on the ICO’s website.

As a Travel Law expert, how do you think GDPR will impact the travel sector compared to other industries?

The travel industry will be particularly affected due to the large volume of personal and sensitive data it processes about individuals. For example, personal information collected as part of the booking process, including ‘special category’ (i.e. sensitive) data such as health and medical data.

Travel companies also use data in marketing new promotions to people, as well as sharing large volumes of data with overseas suppliers, such as accommodation and excursion providers. All related activities must be reviewed and brought in line with the new regulations.

Travel operators need to review their third-party data sharing arrangements and ensure they have agreements in place that contain the provisions prescribed by GDPR in order to ensure individual rights are protected to the required standards. Your operators will need to review their third-party contracts and upgrade these to incorporate the new higher standards and/or implement appropriate contracts to that effect. In particular your operators will want to understand what the data sellers have told data subjects about the transfers of data they make to the operators (e.g. through privacy notices), obtain appropriate warranties/assurances as to those and other measures around permission to use the data etc. Once your operators have purchased the data, they should be following up ASAP with their own privacy notices, explaining to individuals where and how they have obtained the data, on what basis (e.g. on the basis that an individual has consented to it being transferred to the operator for a particular purpose) and what the operator now plans to do with the data, how they plan to secure it and keep it up-to-date etc.

That is in addition to all other measures required of them as controllers/processors to ensure their houses are in order, e.g. mapping their own data uses, ensuring they are processing on the basis of lawful processing condition(s), using appropriate privacy notices, implementing and maintaining appropriate internal policies and controls around data use, security, retention, training staff etc.

A lot of people perceive GDPR to be a threat to their business, is there any way that GDPR could be seen as an opportunity?
The ICO’s view is that GDPR represents evolution, not revolution. Meaning, to that extent that your organisation is already complying with the UK’s Data Protection Act 1998, you should have a good foundation from which to raise your standards and improve your practices in line with GDPR. Again, the ICO’s website guidance is helpful in explaining the regulator’s view.

Being able to assure your customers that your business is GDPR-compliant and takes protection of data seriously should set you apart from competitors who are behind the curve in this regard.

Finally, it should be borne in mind that the UK government is presently debating a new UK Data Protection Bill, which will implement GDPR in full (despite Brexit) save for certain limited derogations available under GDPR, enabling the UK to adapt the regulations more suitably to local requirements.

It is anticipated that the Bill will become law on or before the date that GDPR comes into force (25 May 2018).

Accord is an integrated marketing agency with almost 30 years’ experience in the travel sector. Our expertise is second-to-none and we work with a wide range of travel clients, including cruise lines, domestic and international tourist boards, tour operators and online travel brands. To learn more about our extensive portfolio of services, get in touch today.