How to Comply with GDPR: Recommendations for the Travel Industry

How to Comply with GDPR: Recommendations for the Travel Industry

The adoption of the General Data Protection Regulation (GDPR) has become one of the hottest topics across a broad spectrum of industries. The travel industry is no exception. The GDPR applies to the processing of personal data in all member states of the European Union. The main question is how the new data protection regulation will affect businesses. Travel companies will be directly affected thanks to the personal and sensitive data they gather and process. Every travel business works with users’ personal data and supplier information. In this article, we’ll discuss general positions and some specifics of the GDPR adoption in the travel industry.

How to prepare for GDPR

How to prepare for GDPR

What is the General Data Protection Regulation or GDPR?

The GDPR sets rules relating to the protection of people's fundamental rights and freedoms regarding the processing of personal data.

Enforcement date. The EU Parliament approved and adopted the GDPR on April 14, 2016. Regulation enforcement must be in place after a two-year transition period, on May 25, 2018.

The main goal. The GDPR's main goal is to replace the Data Protection Directive 95/46/EC 1998 and to introduce a single data protection law that increases privacy for individuals by enforcing stronger security rules for companies that handle personal data.

The GDPR structure. The full text of the regulation includes 99 articles that contain the rights of individuals and obligations placed on organizations. A lot of the GDPR's main principles are similar to those in the current Data Protection Directive. If your business has already adopted Data Protection Directive principles, it will be a good starting point for implementation of the law. However, there are new elements and important enhancements. Most businesses need to adjust their processes in accordance with these changes.

Territorial scope. The regulation applies directly to all EU member states and has an extraterritorial scope as it enforces non-EU companies to comply with data protection obligations when processing personal information from any individual located in the EU. It doesn’t require any enabling legislation be passed by EU governments.

The purpose. The purpose of the change is to give people easier access to their personal data that companies store, a new fining system, and a clear responsibility for the organizations to obtain consent from people whose information they collect.

Data protection officer. In some circumstances, companies need to appoint a data protection officer, who will be prepared for information requests from users. Data protection officers must respond to requests about the purpose of obtaining personal data and provide a copy of all user data if needed. Also, this role requires setting up the data deletion process.

What data the GDPR consider personal

According to the GDPR definition, ‘personal data’ means any information relating to a person that enables them to be identified directly or indirectly. The regulation lists some main identifiers such as name, identification number, location data, or some factors specific to the physical, cultural, or social identity of that person.

From the travel industry aspect, personal data could include the following types and sources of information:

  • ID / Passport details: names, postal addresses, race, origin, biometric data;
  • Contact information: email addresses, telephone numbers;
  • Digital data: photographs and videos;
  • Sensitive data: financial and payment information;
  • HR records: current and former employee details.

The person whose personal data is processed is called the data subject.

From a data handling perspective, the regulation applies to both ‘controller’ and ‘processor’ companies.

The controller is a person or company that determines the purposes and the means of processing data.

The processor is a person (other than an employee of the data controller) or a company that processes the data on behalf of the controller.

Increasing territorial scope

The GDPR applies to the personal data processing by the controller or processor establishment in the European Union, regardless of whether the processing takes place in the Union or not. Ultimately, the change applies to almost all travel companies that offer products and services in Europe and process personal data of EU citizens as well as other users, located within its borders.

Travel Industry Perspective.  This will mean that global online travel agents or, for instance, US airlines, will be directly regulated by the GDPR. For example, when an Emirates-based hotel sells to EU travel agents or third-party wholesalers based in Europe, it falls under the Regulation. If you monitor the behavior of users who are located within the EU, such as flight destinations and hotel booking in France, you must comply with the requirements. This approach affects the use of web analytics tools, data collection and tracking for personalization and retargeting purposes. It also applies to website visits from users located in the EU, regardless of whether they are EU citizens or not.

Penalties system

The GDPR enforces extremely high penalties divided into two broad categories:

  • Upper level - up to €20 million or 4 percent of total worldwide annual global revenue for the latest financial year for major breaches. Compare this penalty amount with the corresponding data breach in 2012, which can be considered a major one as 1,163,996 debit and credit card records were stolen from a travel agent. Back then, the fine amount was approximately $255,000.
  • Lower level - up to €10 million or 2 percent of total worldwide annual global revenue for the latest financial year for smaller breaches.

The amount of the fine depends on what article’s rules are violated. Generally, breaches of individual privacy rights and freedoms will be the subject of the upper level fines.  Infringements of the controller or processor organization’s obligations, including data security breaches, will result in the lower level fine.

The regulator also has corrective functions:

  • The regulator can give a reprimand where the GDPR provisions were infringed.
  • The regulator can issue an order that certain behaviors must be corrected within a certain time.
  • Penalties will be used in addition to or instead of the regulatory corrective powers.

These are only the main points of the GDPR fine system as penalties for breaches are tiered. Various criteria are considered in each case. They could be the nature, duration, and character of the infringement or types of personal data affected, previous infringements, and cooperation level.

Practical recommendations for travel companies to prepare for GDPR

Data processing is based on consent. According to the regulation, consent means the permission to process personal data given by the individuals. The GDPR sets up conditions and rules for consent creation and businesses must follow them to be in compliance with the act.

New rules that apply to obtaining the consent:

  • Consent must be freely given, specific, informed, and unambiguous.
  • Companies must present the consent in easily accessible form that is written in clear language.
  • The consent can’t be inferred from silence, visiting, and continuing to browse a website. It also needs to be separated from other terms and conditions. The user must complete an affirmative action. The best approach is to create a click with an opt-in box.
  • If you gather information about users via cookies, you should give them the opportunity to accept or reject them.
  • If a user changes their mind, they also must be able to access settings menus to update their preferences.

Personal information collected about users for one purpose can’t be used for a different one.

Travel industry perspective. All airline websites collect user emails addresses so they can send an e-ticket. Usually, the purpose of acquiring these emails is clearly articulated. But airlines must ask for the explicit consent again if they were to use this data for email campaigns.

The same with hotels, if a user gives the consent to collect data to make a hotel booking, the data can’t be used for marketing purposes because the consent for such usage wasn’t given. The best way to contact your customers for consent is to include multiple tick boxes for each type of consent you need.

Travel services, from airport parking lots to hotel room bookings, must explain to customers why they are capturing their personal data, who is requesting that data, and who else will have the access to it.

Audit the data you store

As use cases grow in number and personal information is applied across various departments, it becomes difficult to track all the types of information collected. Organize an information audit. This will help analyze what data you have, why you store it, what you want to do with it, and how long should you keep it. It’s important to determine what consent you have been obtaining for this information. Was it explicit, or not? Do you provide security measures to protect the data from a breach? The Information Commissioner’s Office (ICO) - the UK's independent body created to uphold information rights - has a helpful checklist on its website for companies to assess how well they are prepared for the GDPR rules.

Travel industry perspective., the largest flight, and accommodation OTA, collects a broad spectrum of personal details, including names, travel purposes (leisure or work), travel with children, emails, payment data, etc.

Booking Identifying infromation stores a lot of identifying and non-identifying information about users

The Regulation requires communicating clear purposes of information use. To achieve that, travel companies - especially those collecting data for sophisticated personalization - must organize an information audit.

Review existing contracts

Massive data exchange via APIs is common practice in the travel industry. One of the most important steps for wholesalers today is to upgrade contracts in place that contain the provision about protection of individual rights. Companies should understand how their partners inform data subjects about the transfers they make.

Travel industry perspective. For instance, OTAs send personal data to hotels, other accommodation providers, car rental services, and airlines that may be within or beyond the EU, but still render services to EU citizens.

On the other hand, if your partners purchase the data from you, they must explain how they plan to secure and keep it up-to-date as well as explain to individuals where and how they have obtained the data.

Be ready to respond to user requests

According to regulation rules, all users have the right to ask companies:

  • List the data stored with them;
  • Define data collection purposes and uses cases;
  • Outline the time period for which the personal data will be stored;
  • Send a copy of all their data that is held;
  • Delete the data about them.

Each company is obligated to supply this information and process such requests.

Travel industry perspective. Some of these requests can be addressed autonomously. Virgin America, for instance, allows for deleting some part personal information via an individual user profile.

Virgin America_delete

Source: Virgin America Privacy Policy

Travel companies also need to ensure they can control the process of data deletion by third parties with access to existing information. For instance, when users book a trip, a travel portal transfers the information to a hotel or car rental provider.

Adapt your personalization processes

Most marketing processes in online travel agencies are based on user experience personalization. The GDPR gives companies an opportunity to stop spamming their users, delivering more explicit, valuable personalization instead. If we look at the regulation requirements from the travel standpoint, it could be considered a new opportunity to personalize. Holiday offers, low-cost airlines tickets, or comfortable hotel service suggestions motivate people. Most customers are interested in sharing their personal data to have better, and more personalized service as a result.

If travel companies manage to introduce clear communication and allow travelers to shape promoted travel offers, there will be a real value in meaningful and up-to-date personalization.

Appoint a Data Protection Officer

According to the GDPR, organizations must appoint a data protection officer (DPO) in some circumstances. Specifically, the appointment of a DPO is mandatory when:

  1. The organization is a public authority or body.
  2. The organization engages in regular and systematic monitoring of individuals on a large scale, for instance, online behavior tracking.
  3. The organizations that engage in large scale processing of special categories of data (sensitive personal data) or data relating to criminal convictions and offenses.

There is no exception for small and medium-sized companies. However, each EU country can individually determine the other cases in which they must appoint a DPO.

The DPO could be an existing staff member who takes the responsibility for data protection compliance or companies can hire an external expert for this role.

Travel industry perspective. If you run a local tours and activities service that doesn’t collect any personal data besides emails and you don’t systematically face European tourists, it’s likely that you don’t need a DPO just yet. However, if you operate an OTA that provides services globally and systematically processes user data for booking, marketing, and personalization purposes a data protection officer becomes a necessity.

Enable data breach notifications

Ensure that you set up the right procedures to effectively detect, report, and investigate a personal data breach. According to the GDPR, companies should report certain types of data breach to the Information Commissioner's Office within 72 hours. If the breach can directly affect people's rights and freedoms, individuals must be notified as well.

Travel industry perspective. As OTAs, hotels, and airlines collect and store much of identifying personal data, from names to children’s information, ensuring the right response to breaches becomes critical.

Give users access to the personal data you stored about them

The data subject shall have the right to receive the information from the controller regardless of whether his or her personal data is processed. You should be able to provide users with access to their personal data and information about how this personal data is being processed.

Purposes of data use

Foursquare succeeds at communicating the purposes of data use and providing control over personal data

Travel industry perspective. Partly, this requirement can be met with introducing special privacy sections in user account settings. Similar to the Foursquare example above, users can have access to data categories and must be able to turn on or off some data collection processes.

If the user requests, you must also be ready to provide an overview of the data categories being processed and the copy of actual data. Whether personal data is shared with other companies or transferred to a third party, you must provide detailed information to the data subject about these processes.

Ensure portability of the data you store

The data subject can ask to transfer his or her personal data from one electronic processing system to another. You must be ready for such requests. The data must be provided in a structured and commonly used electronic format. This enables other companies to use the data. The data must be provided free of charge. Users also have the right to request transmission of the data directly to other organizations. However, this doesn’t mean you should adapt your processing systems to be compatible with other organizations.

Travel industry perspective. If you operate a hotel business, it’s likely that you store personal data in a property management system. Be sure your software can export data in common formats, like csv or xlsx.


It’s crucial for your company comply with the GDPR. Regulation compliance is a complicated issue that all company employees must support. To initiate changing of processes for compliance with new rules, your company's top managers must understand the importance of the GDPR and how it will influence your business so that they can be proactive.

While the GDPR will definitely affect almost all travel industry players, it could be an opportunity rather than a threat. It nudges travel businesses to build trustful relationships with customers providing valuable propositions to them. To build such relationships you must ensure that your customers understand why the data is collected. And, remember, they are likely to provide more data to get better personalization. If you use the collected data effectively, your customer will receive more personalized propositions and as a result, be motivated to make the purchase.