Most industries in Europe — or anyone who deals with EU citizens — are frantically trying to figure out what GDPR means for them, and the tourism industry is no exception.
There is so much information about GDPR out there that it’s a little overwhelming to process and figure out exactly what’s required of your business by the May 25thdeadline. So, in the hope of offering clarity, we’ve written this blog post. We’ll cover what exactly GDPR is, what your business must do to be GDPR compliant, and how GDPR specifically affects the tourism industry.
What is GDPR?
General Data Protection Regulation (GDPR) will come into full effect on the 25th of May 2018 and it will profoundly affect the way companies record, process, and store data acquired from their customers and employees. Put succinctly as possible, GDPR is EU legislation designed to put control of personal data back into the customer’s hands.
GDPR was first established in 2016 and has been part of the EU’s proactive attitude towards internet security and data privacy. However, the recent Cambridge Analytica scandal is a timely reminder of the risks associated with data protection and it should serve a stern warning to any person or business unwilling to prioritise their customers’ right to privacy.
Is Your Business GDPR Compliant?
Failure to comply with GDPR by the 25th of May could result in a heavy fine, and the EU has given ample notice of its deadline. To be GDPR compliant, your company must be able to prove it has met the following data-processing conditions:
- Data must be collected transparently;
- Data must be used only for the purpose stated when it was collected;
- Data must be accurate and up-to-date;
- Data must be adequately protected from hackers or third parties who may try to access it;
- And data must be completely deleted when the relationship with your customer/client/employee ends.
Don’t be overwhelmed by this. Instead, try to follow these easy steps:
Step 1 – Fully Audit Your Current Data
Organise all of your data to figure exactly what you have. Once you’ve taken stock of your data, figure out if you’d asked customers/guests for consent to keep the data. Do you have a record of this consent?
Step 2 – Getting Consent for Data
Any customer making a booking will have to enter their data and you don’t need an additional consent form for this. However, if you plan to use this data later on, for marketing purposes, then you will require record of consent for it. For past data, you could reach out to your previous customers and ask to keep the data, explaining what it’s for (if they had a positive experience with your company they will probably be happy to be contacted by you again). However, only contact previous customers before the deadline. After that, you may simply have to delete any data you don’t have explicit consent for. For new data, make asking for consent part of your booking process to cover you in the future. Make the language as clear and explicit as possible and perhaps ask for legal advice to get the wording just right.
Step 3 – Assess and Update Your Security
As a vital part of GDPR involves providing adequate security for your customers’ data, it’s important for you assess your company’s data security. Is your database secure? Do you have the latest firewalls and internet security programs? An additional concern specifically for the tourism industry is that we often have to share customers’ details with suppliers if we’re working with various different services. Be very careful with this, and make sure that everything you share is secure. If you have a few regular suppliers, you could get in contact with them and ask what they’re doing to ensure they are GDPR compliant too.
For a more in-depth guide of how you can ensure your business is GDPR compliant, checkout ICO’s Guide to the GDPR.
How Does GDPR Specifically Impact the Tourism Industry?
As we said above, GDPR affects any company that offers goods or services to people within the EU. This might not affect some industries outside of the EU, but it’s pretty much guaranteed to affect everyone in the tourism industry, regardless of your niche. This is because your target audience hopefully pulls from many countries from around the World, people living in the EU.
GDPR also affects the tourism industry a little differently because it’s pretty much guaranteed that customers will come from all over the World. This may make it a little more difficult to track down previous customers and ask for consent to keep their data. Send off a polite, clearly worded email and hope they get back to you.
However, one area where the tourism industry has a very notable advantage over most other industries is customer goodwill and interest. Most people are happy to be contacted about possible discounts on hotels, flights, tours, etc. Holidays, and travel in general, are of high interest to potential customers all-year-round, so you may find past and future customers are more than happy to provide consent for you to use their data to offer them special deals and holiday promotions. Tourism is often one of the only industries where people are happy to receive regular marketing communications.
GDPR simply isn’t as scary as some of the other scare-mongering articles on the net are letting on, but you will need to adjust the way your company records, stores, and shares data. We hope this article has helped a few readers understand GDPR and how it impacts the tourism industry.
Need more free advice?
Chris and his team will send you a weekly email offering high-value insight and advice about a variety of marketing and business development topics related to the tourism industry. We address specific destinations, tours and activities, and the hotel industry. We also provide important travel industry news and updates.