General Data Protection Regulation, or GDPR, gives EU consumers the right to know, understand, and consent to the data companies that collect data about them was an EU legislative change that came into effect back in May 2018. GDPR aims to give control to citizens and residents by unifying the regulation within the EU.
While GDPR pertains to EU countries and citizens, it’s very much relevant to the travel industry, even for companies that operate outside of the EU.
What does GDPR have to do with travel?
Any travel or transportation services provider collecting or processing data about an EU citizen is eligible for GDPR compliance. That includes TMCs, hotels, airlines, ground transportation, booking tools, the GDS, and even companies booking travel for their employees. GDPR also addresses the export of personal data outside EU and EEA areas for citizens within the EU and EEA. Travel organizations collecting data on EU subjects must adhere to GDPR, regardless of their geography or incorporation.
What role does data play in the travel industry?
The travel industry uses data to give consumers a more personalized experience. Personal data transferred to GDS and TMCs, hotels, airlines, ground transportation, and online booking tools. When you book travel arrangements, all that data is recorded and kept to better improve your travel experience.
For example, at Gant Travel, we use your phone number for contact tracing on reservations, so we know exactly who you are when you call in before we even pick up the phone.
Intuitive services offered by brands to a potential customer in the future are a result of data collected by an existing customer. Every day the travel industry is investing and creating new technology to provide customers and potential customers with a more personalized travel experience. Think about it—have you ever seen an ad online for exactly what you’re looking for? Whether it’s a cheap flight, hotel discount, or even for something you never even knew you needed, that’s all a result of collected data.
Kishan Bhandarkar explains that “data has emerged as the most significant component enabling businesses to evolve through their features and capabilities,” in his article, GDPR Implications for the Travel Industry.
What does GDPR have to do with you?
GDPR makes distinctions between data controllers and data processors. Data controllers are directly responsible for deciding how and why data is used. Businesses arranging travel for their employees are considered data controllers. Therefore, businesses are accountable for their travelers’ data and must do their own due diligence to comply with GDPR rules. On the other hand, data processors carry out the controller’s instructions, like online booking tools.
Data controllers are required to gain complicit consent from data subjects and communicate the intent for collecting data and details of the data processors who use the data. They’re also required to do periodic security audits to ensure that their controls are functioning as intended.
Once a data subject has given a data controller consent to their data, they still retain the right to revoke consent at any time in the future.
As a data controller for your travelers’ data, it’s important to make sure that the information you provide is accurate—especially when it relates to travel. As airlines and airports start cracking down on accurate information and Real IDs in the next few years, it’s your job to be sure everything is correct on your company’s end. Especially as you add new travelers to your organization, it’s important to ensure that the information you add is correct, so they won’t encounter any security issues on the road.
