When Paul Hewett, Commercial Director of In Marketing We Trust met Tim Bell, Managing Director of DPR Group (Data Protection Representatives Group) at SXSW earlier this year, IMWT partnered with DPR to bring you this webinar on GDPR for Travel Companies + a FREE GDPR framework to help you comply.
Skip the content. Download your FREE GDPR framework now.
GDPR for Travel Companies + FREE GDPR Framework
What you need to know and do
Table of Contents
- GDPR for Travel Companies: Explained Simply
- Introducing Global GDPR
- Travel Companies Need to Pay Close Attention
- GDPR Compliance Obligations for Travel Companies
- GDPR: How to Comply
- FREE GDPR Framework
View our webinar slides on GDPR for Travel Companies below:
Disclaimer: The information below provides general comments on the obligations under GDPR and some actions which can be taken to move towards compliance. It is not intended to be a comprehensive description of GDPR, and is not a substitute for full legal advice, which should be sought before drawing any conclusions on your particular circumstances.
What we’ll cover:
- Why GDPR matters to non-EU companies
- Why GDPR matters for travel companies
Personal data is growing. Each day we leave a trail of personal data across the web which is being collected by companies. And the volume of personal data just keeps growing. By 2020, the total amount of data is set to exceed 50 ZettaBytes, that’s equivalent to an audio recording of every word spoken by every human.
We are moving from storing and processing structured data to unstructured data, including images, audio and video. Much of this data is personal to us as consumers, including videos, photographs and other personal metadata, including IP and behavioural data. All of our digital interactions leave a trail of personally identifying metadata. There is growing concern about how this data is collected, processed and used, resulting in the GDPR.
Alibaba is at the forefront of this technology and the commercial applications and opportunities are incredible. For instance, as a hotel or a cruise liner, you could track your guests around a property or a ship to gain intelligence of preferences. You could discover which restaurants and bars they occupy the most and whether they make use of the spa, gym or smoking area.
When Personal Data Goes Bad
While the use of personal data can be positive, there are some emerging downsides to sharing personal data so publically.
In China, Police are using mass facial recognition surveillance to monitor citizens. In a number of cities in China, jaywalkers are under surveillance. Their face is scanned and 15 seconds of their error is recorded. The images and video are then posted on social media and large screens to publically shame them. The personal data is stored in a police database.
When Personal Data Goes Bad: A Timeline
- 2011: Max Schrems brings action against Facebook in Ireland for breach of privacy laws – Facebook disables facial recognition software
- 2013: Following Snowden revelations, Schrems brings further action, resulting in collapse of US-EU ‘Safe Harbour’ for data transfers
- 2018: Belgian data protection authority requires Facebook to stop tracking non-Facebook users and delete data collected unlawfully using cookies (fined $311,000 per day for non-compliance)
- 2016: WhatsApp lose case in Holland for not appointing a local Data Protection Representative – €1m fine
- 2017: French data protection authority demands WhatsApp stop sharing data with (owner) Facebook
- 2016: UBER suffers massive data breach, losing the personal data of around 57,000,000 drivers and passengers
- 2017: UBER admit to data breach and paying off the hackers
What is the GDPR and why you NEED to know about it.
What is the GDPR
- EU law on data protection and privacy
- For all individuals within the EU
- Gives individuals within the EU control of their personal data
- Replaces the 1995 Data Protection Directive
- Adopted into law 27 April 2016
- Becomes enforceable 25 May 2018
Why GDPR Matters to You
GDPR is directly enforceable against Australia, Asian, American and all non-EU companies.
GDPR is Global
- GDPR brings increased ‘Territorial Scope’
- Any organisation which collects and/or processes the data of EU data subjects is required to meet the obligations of the GDPR
- REGARDLESS OF THEIR LOCATION
The risk for your organisation is significant
- Large non-compliance fines
- Globally enforceable
- From 25 May 2018
Authorities intend to enforce globally. It’s not in the EU’s interest to allow non-EU organisations breach data protection laws.
GDPR is an Opportunity
Consumers are becoming more data savvy by the day. Getting data privacy is a good business decision.
- Tell your customers why you need their data
- Tell them what you’re doing with their data
Be transparent. Tell your customers what you’re doing and why.
- Ask your customers for consent to use their data.
- Tell your customers what you’ll do with the data.
- Tell your customers how you’ll protect their data.
Most travel businesses are global, whether they like it or not.
Travel is a Global Market
Travel websites are more at risk than most other ccTDL websites because they attract non-domestic customers.
If you take a hotel, car rental or theme park in Singapore for example, this product is of interest to global customers. Therefore, they are likely to attract EU users to their website. If the website is not setup for GDPR compliance, there is a risk of fines.
If you’re like other online travel companies, it’s likely you’re capturing data from EU users already. Even if you have country code top-level domains.
Travel is a unique category when it comes to GDPR. If you have a travel product based outside the EU, travellers from within the EU may be looking for your .au or .sg website.
How it Works
You may be capturing personalised data the minute your web tags start firing. Some of this is personal data. If you take a look at your standard website through an EU lens, cookies have the potential to capture personal data which is covered under the GDPR. IP addresses are also classed as personal data.
When a visitor uses your website, 4 types of cookies are typically served:
- Analytics: web analytics such as Google or Adobe
- Anonymous: other anonymous cookies
- Personalisation: storing useful information that will make your experience better
- Advertising: DoubleClick, remarketing and IP forensics
Beyond this, we move to more transparent forms of data capture, including forms, progressive profiling and transaction data.
Consent is required from UK website users to activate cookies which track user behaviour.
You may even be capturing high-risk PII data in your web analytics. Most of the web analytics accounts we see have PII info in them. This is bad news for 2 reasons:
- It’s a breach of the GDPR
If Google catches you, your account will be terminated without warning and your data destroyed forever.
What you need to know about GDPR as a non-EU company
There are three parties:
- Data subject – the person who could be identified by the personal data
- Data controller – the organisation which determines how the personal data is processed
- Data processor – an organisation which processes personal data on behalf of the data controller
The data subject owns their personal data.
As a data controller or processor, you may collect and use the data with the strict permission of the data subject (some exclusions within Article 6).
In most cases, the data subject has the right to access and restrict use of their personal data.
The controller can collect and process the data only with a lawful basis, which is assumed as consent.
The data subject can access their data free of charge.
As the controller you’re responsible for the proper processing of the data.
What is a Data Subject?
The “data subject” is a human. ‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Data Subject Rights
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to be informed
- The right to data portability
- The right to object
- Automated decision making
- Lawfulness, fairness and transparency
- Purpose Limitation: specified, explicit and legitimate purpose
- Data Minimisation: adequate, relevant and limited to purpose
- Accuracy: accurate and up-to-date
- Storage Limitation: no longer than is necessary for the purpose
- Integrity and Confidentiality: appropriate security
- Accountability: be responsible and demonstrate compliance
Privacy by design and default
- More ‘state of mind’ than law
- Requires organisations to have data protection ingrained in their culture
You must have a lawful basis for collecting and processing data.
- Typically, assumed to be consent
- Freely given, specific, informed and unambiguous
- Clear affirmative action (pre-ticked box not adequate)
But there are other justifications for processing personal data, including:
- Contractual obligation
- Legal obligation
- Vital interest to individual
- Public interest
- Legitimate interest
Data Protection Officer
Organisations that must appoint a Data Protection Officer:
- Public authorities
- Core activities involve ‘regular and systematic monitoring of data subjects on a large scale’
- Core activities involve processing of ‘sensitive data’ on a large scale
The Data Protection Officer is required to manage and oversee the data protection program. They can be outsourced – with care, though we recommend appointing someone internally.
EU Data Protection Representative
An organisation must appoint an EU Data Protection Representative where:
- It processes the data of individuals in the EU
- It is not established in the EU
- (Exclusions apply for public sector, “occasional” processing)
The purpose of the EU Data Protection Representative is to allow EU-based persons and authorities to contact the processor. This obligation does not apply to EU-based organisations.
Although this obligation is hidden, failure to comply is clear – the Representative should be clearly identified to allow contact.
Where the data controller appoints a data processor, there must be a contract which sets out:
- Subject matter, duration, nature and purpose of the processing
- That the processor will only process on the instructions of the controller
- Any non-EU countries where the personal data will be processed
- And more …
Where the data processor appoints a sub-processor, an equivalent contract must be put in place between the processor and sub-processor.
When transferring data across international borders there must be adequate protections in place. Some countries have been granted ‘equivalent’ status, confirming a level of legal protection of personal data equivalent to that in the EU. Equivalent countries include, Argentina, Israel, New Zealand and Canada (commercial organisations only).
For US-EU transfers, the privacy Shield has replaced the Safe Harbour agreement, post-Snowden. The Privacy Shield is open to criticism under GDPR if the US can’t give sufficient reassurances about government interception of data. Organisations who wish to benefit from Privacy Shield must self-certify to the Department of Commerce.
Where personal data is collected, the data subject should be informed:
- The identity of the Data Controller and Data Protection Officer (if applicable) and how to contact them
- Why and where their data processing is being undertaken (including safeguards if being sent outside the EEA)
- How long the data will be kept
- The data subject’s right to object to the processing
Subject Access Request
A data subject (the individual) can issue a request to an organisation which is a data controller of their personal data to request (among other things):
- Details of the personal data they hold
- Correction of the personal data
- Erasure of the personal data (the “right to be forgotten”)
Your obligations regarding subject access requests:
- Must respond within one month (30 days)
- Cannot charge for response
- Can refuse excessive requests
Data Breach Notifications
Where there has been a breach of personal data which could impact the rights and freedoms of the individual, the data controller must inform the relevant EU national data protection authorities within 72 hours of becoming aware. If a high risk to the data subject, they must also be informed directly. The processor is obliged to inform the data controller “without undue delay”.
Data Processing Record
An organisation must keep records of its processing activities for inspection. This should include:
- What processing is undertaken
- On what data
- For what purpose
- How the rights and freedoms of individuals are protected
An organisation must undertake an assessment of the impact on individuals’ rights when undertaking new processing activities, particularly when using new technology. This should also include the above information.
We’ve created a GDPR (& Data Protection) Compliance Framework to help Data Controllers and Data Processors become compliant. Get your Free GDPR Framework now.
Here’s a summary of what to do …
Understand Your Risk
Evaluate your user, customer and employee data. Is there any data from within the EU? If the answer is yes (even 1 person), you are required to comply with the regulation.
Appoint Your Data Team
- Appoint a Data Protection Officer
- Appoint an EU Representative
- Appoint Data Protection Champions
Compliance Gap Analysis
Conduct a compliance gap analysis against 4 criteria:
- Transparency & Lawfulness
- Individual Rights
- Accountability & Governance
- Security, international transfers and breaches
Know Your Data
- Know every data flow within your business
- Identify where the data is
- Identify where the data goes
- Identify who has access
- How long you need it for
- If it is a risk
- If it is being transferred outside the EU
- Identify all your processors and sub-processors
- Ensure they are compliant
- As a controller it’s your responsibility
Process for Data Events (Requests)
- Ensure your staff and customers have a method to make a subject access request
- Make sure you have a process to handle the request
Assets & Process
- Get your assets together
- Get your processes together
- Communicate them
- Add a privacy notice to your website
Train Your Team
- Training is not a tick box exercise
- Train your staff on personal data protection
- Train your leaders on personal data protection
- Personal data protection as a concept
- Personal data protection as a culture
Contact us for more information
Many thanks to Paul Hewett and Tim Bell for putting together this presentation. If you would like to request more information, you can contact them below.
In Marketing We Trust
- Download your FREE GDPR Framework below
- Click the “copy base” button on the top left
- Sign Up for an Airtable account to save