In the last few months, GDPR has become one of marketing’s hottest topics, with almost every organisation - travel brands included - asking how the new data protection regulation is going to affect their business.
At the moment there is a lot of confusion about how GDPR can be successfully implemented and the ramifications it will have upon the travel sector. So, to provide some useful and much-needed guidance, we got in touch with Claire Mulligan, a partner at global law firm Kennedys.
We caught up with Claire after her presentation at CIM’s ‘Travel Trends to Watch’ seminar and took the opportunity to ask her some important questions.
The legal definition of GDPR is, I am afraid, quite ‘clunky’!
Personal data is defined within the GDPR as: “any information relating to an identified or identifiable natural person (‘data subject’). An identifiable natural person is a person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, such as National Insurance number, address, email address, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
You may recall in one of my slides I flagged the types of personal data that your members need to think about in terms of personal data:
The GDPR applies to the processing of personal data by:
(a) organisations established or operating within the EU; and
(b) organisations outside the EU that:
(i) offer goods and services to; or
(ii) monitor the behaviour of individuals within the EU. It is important to note that data controllers/processors need no longer be physically located within the EU to be caught.
Corporate data (which is not a legal term, but which might include information about a company, rather than a person, for example) is not covered by GDPR.
A critical first step will be to conduct an internal audit of all personal data processing undertaken by your organisation (‘data mapping’) and your associated policies and procedures around this activity. This should include considerations such as understanding what types of data you collect (process), why you collect it, how you collect and use it, how you store it, what security measures you apply to it, and how long you retain it etc. You will need to fully understand your data processing activities before you can begin to work out how to comply with GDPR.
Other key considerations for the travel sector will include (but are not limited to):
GDPR has introduced a new principle of ‘accountability’, which in essence requires organisations to be able to demonstrate compliance with the new regulations. Documenting the fact and results of your data audit and related processes is one method of demonstrating your organisation’s compliance with this principle.
The UK Information Commissioner’s Office (ICO) provides helpful guidance on its website, including an overview of the new regulations, an introductory ‘12 steps’ guide and specific guidance regarding certain aspects of the reforms.
Consent and legitimate interest are two of the lawful processing conditions (i.e. two of the legal bases upon which you may process personal data) under GDPR. Another basis pertinent to the travel sector might be the performance of a contract between your organisation and the data subject (e.g. administering travel bookings). Understanding why you process data and ensuring you do so only in accordance with one or more lawful processing conditions is critical.
If you are relying on consent, GDPR will require you to review your consent mechanisms to ensure they meet the new, higher standards. If, for example, you cannot demonstrate that consent has been given to each and every one of your data processing activities, you may need to obtain fresh consent for all/certain activities, find an alternative basis upon which to process the personal data (e.g. legitimate interest) or cease processing altogether. It is important to note that the concept of consent has itself been enhanced (the requirement that consent be ‘informed’, as you mention in your question, is just one aspect) and can also be withdrawn at any time.
Reliance on the legitimate interest condition will require (among other things) an assessment of your organisation’s interest in processing the data as against the reasonable expectations of the individual concerned – would that individual reasonably expect you to be processing their data for a particular purpose, for example?
GDPR implements significantly higher penalties, including, at worst, administrative fines of up to €20,000,000 or 4% of total worldwide annual turnover, whichever is the greater. Whilst preparation for the reforms will initially be costly to businesses in terms of human resource, failure to comply is set to become prohibitively expensive. Businesses should already be securing management approval and budgeting accordingly.
The fine however is the maximum and high fines are not expected to be the norm.
Elizabeth Denham, the Information Commissioner, said in August this year: “Thinking that GDPR is about crippling financial punishment misses the point. It’s true we’ll have the power to impose fines much bigger than the £500,000 limit the Data Protection Act allows us… But it’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that the maximum fine will become the norm.”
Because there is much talk focused on the level of fine, many companies have perhaps lost sight of the fact that there are a number of pro-active steps that you can take. These steps can reduce the amount of fine imposed and it might even help you to avoid a fine altogether.
The latter is because a regulator is also empowered with corrective powers under GDPR. For instance, a regulator can issue a reprimand where the provisions of GDPR have been infringed; alternatively, the regulator can issue an order that certain actions (which have led to an infringement of GDPR) be corrected within a certain time.
Penalties will only be imposed in addition to or instead of the regulatory corrective powers.
There are limited exemptions from GDPR, but there is scope for certain relaxations in the case of Member State derogations and in respect of micro and small and medium enterprises (SMEs) (in relation to record-keeping, for example). The ICO has set up a helpline targeted at SMEs and charitable organisations, the details of which can be found on the ICO’s website.
The travel industry will be particularly affected due to the large volume of personal and sensitive data it processes about individuals. For example, personal information collected as part of the booking process, including ‘special category’ (i.e. sensitive) data such as health and medical data.
Travel companies also use data in marketing new promotions to people, as well as sharing large volumes of data with overseas suppliers, such as accommodation and excursion providers. All related activities must be reviewed and brought in line with the new regulations.
Travel operators need to review their third-party data sharing arrangements and ensure they have agreements in place that contain the provisions prescribed by GDPR in order to ensure individual rights are protected to the required standards. Your operators will need to review their third-party contracts and upgrade these to incorporate the new higher standards and/or implement appropriate contracts to that effect. In particular your operators will want to understand what the data sellers have told data subjects about the transfers of data they make to the operators (e.g. through privacy notices), obtain appropriate warranties/assurances as to those and other measures around permission to use the data etc. Once your operators have purchased the data, they should be following up ASAP with their own privacy notices, explaining to individuals where and how they have obtained the data, on what basis (e.g. on the basis that an individual has consented to it being transferred to the operator for a particular purpose) and what the operator now plans to do with the data, how they plan to secure it and keep it up-to-date etc.
That is in addition to all other measures required of them as controllers/processors to ensure their houses are in order, e.g. mapping their own data uses, ensuring they are processing on the basis of lawful processing condition(s), using appropriate privacy notices, implementing and maintaining appropriate internal policies and controls around data use, security, retention, training staff etc.
The ICO’s view is that GDPR represents evolution, not revolution. Meaning, to that extent that your organisation is already complying with the UK’s Data Protection Act 1998, you should have a good foundation from which to raise your standards and improve your practices in line with GDPR. Again, the ICO’s website guidance is helpful in explaining the regulator’s view.
Being able to assure your customers that your business is GDPR-compliant and takes protection of data seriously should set you apart from competitors who are behind the curve in this regard.
Finally, it should be borne in mind that the UK government is presently debating a new UK Data Protection Bill, which will implement GDPR in full (despite BREXIT) save for certain limited derogations available under GDPR, enabling the UK to adapt the regulations more suitably to local requirements.
It is anticipated that the Bill will become law on or before the date that GDPR comes into force (25 May 2018).
Accord is an integrated marketing agency with almost 30 years’ experience in the travel sector. Our expertise is second-to-none and we work with a wide range of travel clients, including cruise lines, domestic and international tourist boards, tour operators and online travel brands. To learn more about our extensive portfolio of services, get in touch today.