GDPR basically tightens the rules on how companies collect, manage and secure consumer data. This includes ensuring consumers give “explicit consent” to receive marketing messages – effectively ending the practice of having opt-out and pre-ticked boxes.
Security is also one of the major tenets of GDPR, with companies now having to alert the appropriate authorities of any data breach within 72 hours, as well as facing potentially eye-watering fines of up to €20 million or 4% of global turnover per breach.
While GDPR has been on the radar of most EU-based travel firms for at least a year or two, the issue of data security has now seeped into public consciousness with several high-profile cases: most notably the Facebook-Cambridge Analytica scandal when the political research firm was able to access the personal data of 87 million Facebook users.
The travel industry has not faced anything on this scale so far, but the dangers are there, particularly with travel firms collecting and storing significant amounts of data on their clients – for example: names, addresses, passport numbers, dates of birth, payment information, loyalty card details and even health information for some customers.
Complying with GDPR is not just an issue for EU-based travel companies; it can also have implications for firms based in other parts of the world.
Paul Stephen, chief executive of global digital marketing agency Sagittarius, says: “GDPR is not about the travel brand – its about the EU citizen and covers their rights as a person. It doesnt matter whether you are based in the EU or not as a company; its about whether you are selling to EU citizens.
“Often, travel companies dont know where their customers are based. So if youre marketing to, or expecting to carry, EU citizens, you need to toe the line when it comes to GDPR.”
GDPR is being seen as setting a “new bar” in data protection regulations and similar new rules could eventually be introduced in other countries, particularly now data has become such a “hot” issue for politicians.
Its worth noting that when Facebook chief executive Mark Zuckerberg appeared before two US congressional committees in April, politicians repeatedly asked him if he would extend GDPRs consumer protections to cover US-based users. The US has generally had less stringent rules on data protection and security than in the EU, even before GDPR came into force.
“We are in a global world and the EU is setting the bar high – that could be good for the rest of the world,” adds Paul Stephen. “The US already has equivalents to most of the things included in GDPR but they are nowhere near as strict.”