With less than four months to go until the General Data Protection Regulation (GDPR) comes into force, ABTA is reiterating that travel companies must begin preparations to meet new regulations, in time for the May deadline.
It said businesses need to get started with the following three steps as soon as possible: perform a Review, understand the Requirements and collate Relevant records. Rhys Griffiths, partner and head of travel regulation at Fieldfisher, and moderator at ABTA’s Data Protection and Cyber Security in Travel seminar which is being hosted today, said: “One new key principle in the GDPR is accountability – it’s no longer enough to comply with data protection laws, businesses must demonstrate how they meet the new regulation.” He added that it wasn’t too late for businesses to be compliant with the GDPR and those which have processes and policies in place to adhere with the Data Protection Act will find that there is a lot of existing resources which can be re-utilised for GDPR compliance purposes. It’s also important to remember it will be an ongoing process, rather than a race to the 25th May.”
First and foremost, businesses need to carry out a full audit of the data they hold and how they handle it – including how it’s collected, what it is used for and how it is stored securely. ABTA has produced a data protection audit spreadsheet with guidance which can help members in their preparations for the GDPR.
Next, they need to understand if their procedures for acquiring and processing data are robust enough to meet the more rigorous requirements of the GDPR. Businesses need to consider what the legal basis is for processing relevant sets of data, as they will only be able to process personal data if it adheres to one of six lawful bases, such as the fact that the processing is necessary for the performance of a contract with the data subject. More information about each of the bases are on the ICO website.
Businesses need to update their privacy statements in order to be completely transparent with customers about how they use their data. They need to clearly inform individuals about the purposes of processing their data and what will happen to their data, and bear in mind all the additional details required under the GDPR.
Non-compliance with the new laws could result in fines of up to £17,000,000, or four per cent of annual turnover, as well as having other business impacts such a loss of goodwill, employee trust and negative publicity.
Simon Bunce, director of legal affairs said it is likely that the final Package Travel Regulations will be published in May – less than two months before they are due to come into force in July. So it’s important that businesses take the opportunity to get ready for the GDPR in advance of May – otherwise they will be leaving themselves with little time to prepare for both.