How will GDPR affect tour operators, DMCs and travel agents?

Like many of us, you’ve probably started to hear an unfamiliar four-letter acronym spring up more and more over the past few months. Let’s be honest, GDPR, or General Data Protection Regulation, sounds rather uninspiring. Boring names aside, it’s an extremely important piece of legislation that will be coming into effect in May 2018 (Yes, next month!) and, being in the travel industry, you absolutely need to know how it will affect you.

Your time is precious. So we’ve broken this guide down into four key parts to make it nice and straightforward:

• What is GDPR?
• How it will affect tour operators
• What you need to do to make sure your business is prepared
• What tour operator software companies are doing to get ready

What is GDPR?

GDPR is a piece of legislation which will significantly change the way in which data belonging to citizens of the European Union is protected. From May 25th, 2018 any businesses operating inside AND outside the EU will have to maintain much stricter controls on the way in which they collect, record and store personally identifiable data of a European Citizen. Although this is a European piece of legislation, it’s been specifically created to protect EU citizens regardless of where in the world they (or their data) may be, meaning businesses in all corners of the globe will be affected. Tour operators, DMC’s and Travel Agents are particularly exposed, as the chances of providing a product or service (and therefore storing personally identifiable data) to an EU citizen is highly likely.

Click here for a full list of all countries within the European Union.

What is personally identifiable data?

Any piece of data that relates to a specific person that can be used to directly or indirectly identify that person. Standard pieces of data like names, email addresses, phone number or Identification numbers are all personal data; but other less obvious examples exist as well such as credit card numbers, IP addresses, place of education, employer etc.  

How will GDPR affect tour operators, DMC’s and travel agents?

Once it comes into force, GDPR is going to affect almost every tour operator around the world. Any tour operator who doesn’t have a single record of an EU citizen purchasing their services will still need to be prepared for the inevitable day that they get a customer who is, in fact, a citizen of the European Union.

If you store personal data belonging to an EU citizen there are several measures that you’ll need to put in place to ensure that their data is protected to a level deemed safe under the new legislation.

You will need to gain explicit consent to store that data and that consent cannot be given via long-winded terms and conditions as previously allowed. Your customers will need to knowingly opt-in in a transparent and obvious way.

Your customers will have the right to access their own personal data, and if they wish, they will also have the right to request that you permanently erase their personal data.

The data you collect needs to be transportable. Meaning data needs to be in an easily transferable format so that requests to access can be done quickly and easily.

The final piece of the GDPR puzzle involves data processors. The services and tools your business uses to collect and store data need to also comply with the legislation. If they aren’t, you can be found liable.

What do you need to do

First and foremost, being aware of GDPR and what it means is the most important step a tour operator can take in the lead up to May 25th. Once you and your business partners understand the changes you can then adapt your business operations in a more confident and meaningful way.

Make sure the tools you’re using are GDPR ready

Any software your business uses that collects data will need to be GDPR ready. Start by looking at their website or privacy policy and if you have no luck reach out to their support team directly to find out what steps they’re taking. For many tour operators, this means switching from a non-encrypted platform like Excel. Lucky for you, Tourwriter is gearing up to be GDPR compliant across all of its applications by the time the regulation comes into effect. To learn more about Tourwriter, click here.

Adapt your onboarding or sign up process

When bringing on a new customer you’ll more than likely need to store their personal data for your records. Amend your sign-up process so that it includes a clear and concise consent clause. Knowing that your customers have been informed and clearly consented to have their personal data stored will give you peace of mind that you’re covering all of your bases early on in your customer relationships.

Be transparent with your database

GDPR will affect people and businesses across the globe, so there’s no point in shying away from it. Talking openly with your customers and prospects is a great way to show that you take their privacy seriously. Publish a statement on your website outlining what your business is doing to protect your customers, or write a blog to share what you know.

How Tourwriter is making sure we’re ready

As a technology company that has an important role in collecting and storing data, we’ve had to make changes in our business to help our customers get prepared. To learn more about what steps Tourwriter is taking, click here.