Yes, GDPR Will Affect Your U.S.-Based Travel Company
Important note: this post was written by lowly digital marketing analysts, not god-like GDRP lawyers. The purpose of this article is to briefly show you how travel companies who use website or marketing tools, such as Atlas Republic, are affected by the GDPR law and how to be in compliance. This content comes from interpretating the UK privacy commission: ICO. It is not intended as legal advice. So as GDPR, this information is subject to change. We strongly advise you to have a look at the different privacy authorities in order to have up to date information.
You’ve probably heard the news; “Right to be forgotten,” “Privacy by Design, ” 72-hour breach analytics reporting, stronger EU consumer consent. High fines if in breach.
Yes, the EU is clamping down on consumer privacy. As a us-based travel company, should you be concerned?
Why you should be concerned by GDRP if you’re a tour operator or travel agency
If you have clients visit your travel website, fill out a survey or in some way interact with marketing analytics that collects personal data or behavioral information while they’re in the EU (if they’re outside of the EU, even if they’re an EU resident, rules don’t apply***), you will need to make sure you’re in compliance.
In other words, If you’re a travel company that collects or processes data on any EU citizens, GDPR compliance is not optional and some form of GDPR compliance training is a good idea. Ignoring GDPR can cost you up to 4 percent of your global revenue for the previous year. Now, how they plan to go about the court cases is another issue, but it’s better not to mess around with breaking privacy laws (facebook anyone?).
What’s the deadline for GDRP compliance?
25 May 2018.
What does GDPR compliance for a travel website look like?
Since time is running out to meet the deadline (May 25), Atlas Republic has compiled what any travel business needs to know about the GDPR, along with advice for meeting its requirements.
Note! If you have a travel website built on Atlas Republic, we’re offering a service level agreement and are working on tools to make sure you’re automatically in compliance.
According to GDPR: IP addresses, cookies, and UserID are all considered personal data.
This means, as a travel company that collects data on its EU users, you will have to respect EU citizens rights, which include:
- Notification to the user that you collect data on them along with the option to opt-out
- The possibility for them to view the data you collected on them
- The possibility to rectify some data concerning them
- The possibility to delete their data when they request it
How do I make sure my tour company or travel agency is compliant?
To be GDPR compliant your travel company will need to follow a few guidelines:
Step 1 – Bring Awareness to the new law.
- Make sure your employees are familiar with the risks and challenges around the use of personal data within your tracking system and are aware that the law is changing to GDPR. This includes using the data with third-party apps and networks (for example, sharing data with Virtuoso, Signature etc)
Step 2 – List the information you hold
- Document what personal data you hold, where it came from and who you share it with. We are personally using the template provided by ICO which is composed of a set of 30 questions you need to answer regarding your use of tracking.
- Review and identify how your current work processes may be affected by the new GDPR. Do you have change some opt-in messages? Do you have a process of sharing tour data? Do you need to build access to a user’s data for them to delete?
- Implement and enforce data retention policies while respecting your client’s privacy (for example using automated anonymization capabilities such as obfuscating the IP address or losing the UserID to identify users)
Step 3 – Communicate privacy information
- Communicate with your customers transparently, and offer them a choice such as asking for consent for tracking, offering to opt-out – which is is traditionally done as a small popup that shows as soon as the user is visiting the site. Please refer to the ICO documentation in order to learn how to write a privacy notice.
Since [YOUR COMPANY NAME] processes personal data on explicit consent, you can exercise the following rights:
- Right of access: you can ask us at any time to access your personal data.
- Right to erasure: you can ask us at any time to delete all the personal data we are processing about you.
- Right to portability: you can ask us at any time for a copy of all the personal data we are processing about you.
- Right to withdraw consent: you can withdraw your consent at any time by clicking on the following button (include opt out option here).
Step 4 ) Respecting DoNotTrack preferences by default
- Respect the right to be forgotten. “Do Not Track” is a browser-based technology policy that allows internet users to opt out of tracking by websites they do not visit, including analytics services, advertising networks, and social platforms.Make it a point to set your analytics system to respects users preference and do not track visitors which have specified “I do not want to be tracked” in their web browsers. For more information about DoNotTrack, check out donottrack.us.
Step 5 ) Provide the EU user access to their data
- Make sure that you are able to answer an access request from a user. For example, when a person would like to access her or his personal data that you have collected about her or him, then you will need to be you able to provide her or him with this information. We recommend you design a process for this like “Who is dealing with it?” and check that it is working. If you can answer to the nightmare letter, then you are ready.
Step 6 ) Ask EU visitors for consent
- Users should be able to remove their consent at any time, for example, offering a traveler an opt-in option that only tracks them after she or he has given explicit consent to be tracked.
Step 6 ) Have a plan for Data Breaches
- If you don’t already have a data breach procedure, make one. The rule of thumb is, if data’s leaked, notify of the breach. Please consult ICO’s website for further information.
Step 6 ) Obtain parental or guardian consent for any data processing on Children
- You should start thinking now about whether you need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity on children.
Step 6 ) Consider making a team-member a Data Protection Officer
- Sometimes it takes someone constantly in your ear about making sure everyone’s on track with GDPR. Maybe consider designating someone on your team to take responsibility for data protection compliance. This will help ensure GDRP visibility during important data collection meetings and avoid potential hefty fines.
There’s still changes coming and if the recent facebook scandal is any indication of the future, we may have these laws in the states soon enough. It’s better that you prepare now vs later.
If you want to learn how we’re protecting our travel websites for GDPR, check this article out.