The EU’s General Data Protection Regulation (GDPR) will soon be changing the rulebook on how organisations can collect, manage, and store personal data. Make sure your travel business is prepared.

As the digital world continues to grow, more people are becoming increasingly aware of what happens with the data they own and generate. Every second, brands are using this information to create new channels of information and interact with consumers.

However, this digital revolution will only be successful if your business can promise the right to privacy through the protection of personal data. A strong focus on Data Security will give your business a competitive advantage, help you to build customer trust, and ultimately, give investors confidence.

Getting to grips with GDPR


The General Data Protection Regulation is set to come into force on 25 May 2018, replacing the Data Protection Act of 1998 and other similar regulations.

Its purpose is to strengthen and unify data protection for all individuals within the European Union, whilst also enforcing stronger privacy and security rules for organisations when handling personal data.

The new law will apply to all companies who are responsible for both selling and storing personal information about European citizens, often referred to as either the ‘controller’ or ‘processor’ of company data.

Information which must be protected includes anything that relates to a person’s identity, such as their name, email address, bank details, social media updates, medical history or even a computer IP address.

To remain compliant, companies will be required to keep a record of all current and existing personal data, how and when an individual provided consent to store and use that data, how the data is being protected and how it’s being used.

Organisations will also need to ensure monitoring protocols have been set in place to avoid a serious data security breach, and appoint a data protection officer who is responsible for GDPR compliance. Failure to comply could result in a fine of up to €20 million or 4% of annual turnover, whichever is greater.

In the unlikely event that a breach does occur, the GDPR states companies must inform the Information Commissioner’s Office (ICO) within 72 hours, detailing the breach and proposals for reversing its effects.

What GDPR means for your travel business


More than anyone, travel firms need to regularly collect a multitude of customer data to provide an effective service, from basic contact information to booking details.

For a travel business to capture this data, it’s not compulsory for the customer to provide clear permission at the time of booking. However, if the business wishes to use this data for marketing purposes, consent may be needed.

Consequently, travel firms will also be required to create a fresh approach towards email and text marketing, as GDPR will put an end to automatic opt-ins and the use of implied consent.

However, regardless of the imminent changes due to take place in May, Abta and Travlaw are advising travel firms not to worry.

Speaking on the new rules, Abta’s director of legal affairs, Simon Bunce says “It is being portrayed as big, scary and complicated, and a lot of companies might be tempted to put it off and hope it goes away, so we need to get people engaged.”

Conversely, Farina Azam, a partner at Travlaw adds “Travel has a definite advantage over other industries as people want to hear about holidays and offers.”

Working closely with Travel Weekly, Abta and Travlaw have helped put together a guide on what travel firms can do to get themselves ready for GDPR.


Firstly, they suggest auditing your data. This should be a step-by-step process that clearly outlines the data you have, the reason you have it, what you plan to use it for and what consent you obtained for holding it.

For help with this, Abta offers its members a handy guidance note and spreadsheet tool that will help you audit your current processes and identify key areas where you may need to make changes.

Secondly, when obtaining a customer’s consent, it must be either written or verbal and you must be able to show exactly how consent was given, including the date.

Try including methods of obtaining consent into your day-to-day interactions with customers, such as when they’re making a booking via your site. When contacting customers directly, consider using a tick box approach alongside promotions for obtaining separate types of consent.


For further guidance on how you should approach the wording for the consent, you can always consider seeking legal advice. If you’re running a call centre, remember to update scripts frequently to add requests for consent.

And finally, review your security. Make sure you know who’s in charge of looking after company data within your agency and why, where its kept, what online security you have and whether it's secure enough.

Travel firms regularly share customer information with suppliers, so it’s important to review the contracts you have in place with 'third-party' suppliers. There is more emphasis on what the ‘processer’ is doing over the ‘controller’.

Remember, the General Data Protection Regulation is just around the corner, so ensure your travel business is well prepared for its arrival.

The travel technology experts

Digital Trip provides advanced, flexible travel technology solutions for the online travel market. We have helped more than 450 travel agents, tour operators, wholesalers and travel specialists find success online. With our advanced travel technology, you can bring your travel business into the digital age with easy-to-use tools that enable you to deliver tailored holidays fast, on every screen and device.

Talk to the experts, contact Digital Trip today