GDPR and the Travel Industry

15 March 2018

The General Data Protection Regulations come into effect in May 2018 and will introduce a number of substantive changes to data protection laws across Europe. The changes are likely to be supplemented by new rules in relation to electronic marketing and online tracking.

The GDPR will require all organisations to review how they collect, hold and process personal information and how they communicate with individuals. Travel businesses will need to adopt new measures and update their internal processes to demonstrate their compliance with GDPR. The new rules will be backed up by enhanced enforcement powers with the potential of enormous fines, enforced by the Information Commissioners Office – up to €20 million or 4% of the company’s global annual turnover of the previous financial year, whichever is higher. The potential fines are substantial and a good reason for companies to ensure compliance with the Regulation.

For a travel business, data is often the most valuable asset of the business - without a list of existing and past customers, the impact on a business’s ability to generate repeat customer sales will have a seriously detrimental effect on its value when it comes to a potential sale. So how you acquire and hold data for existing and potential clients can be the difference between success and failure. It is also vital to make sure that the data you hold in respect of your staff is equally secure and accurate.

In future the following issues need to be considered:

Consent and Transparency

There is a new requirement for `clear affirmative action' and an end to pre-ticked boxes and bundled consents. This will mean your consent notices on line and in brochures must be greatly expanded explaining how customers can opt out of marketing in the future, when data may be collected and exactly what use you may make of it. There will needs to be a warning that data collected may be sent outside the EEA, to GDS centres overseas for example, where data protection may not be as strong as within the EEA. You should also explain that customers have the right to demand full details of the information you hold on them, and unlike in the past, you can no longer charge for providing this information.

Breach notifications

New express obligations for data controllers to notify privacy regulators and affected individuals in the event of certain data privacy breaches, within 72 hours of a breach occurring.


Organisations will have to demonstrate compliance to regulators on an ongoing basis and maintain records of data protection management.

How will this affect me?

Many operators will hold extensive marketing databases containing personal information. This information will be collected through bookings and administration and online and offline marketing activities. Information will be collected directly from individuals, but also via intermediaries such as travel agents and travel search websites. User profiling and online tracking tools such as cookies can be used to help better target marketing campaigns. The GDPR requires organisations to review the information held as well as their processes and adopt new procedures in relation to why and how that information is collected and used.

Specific issues:

Data collection - do your privacy notices and data collection processes meet the new rules on transparency and consent? How do you provide your privacy notice when a booking is made through an intermediary such as a travel agent?

Marketing consent - do you obtain appropriate consent to send individuals electronic marketing?

Marketing lists - if you acquire marketing data from third parties, are you confident that you have the right to use that information and that your supplier is GDPR compliant?

Policies and processes - have you reviewed your data policies and processes for allowing individuals to opt out of future marketing? Do you have a data protection policy in place?

Data retention - how long do you retain information on your marketing databases? Do you have a data cleansing policy? Without consent you may be expected to destroy information after the travel arrangements have been completed and you no longer have a contractual requirement for it.

Workforce data - what information do you hold? How long do you retain it for? Do you need to hold that information? Is the processing fair and lawful?

What do I need to be doing?

  • Carry out a full data audit to see what information you currently hold, and why?
  • Review your data collection forms and privacy notices to ensure they meet the new requirements.
  • Review your processes and systems for dealing with data subjects rights, including new rights in relation to erasure of data and data portability and your use of profiling.
  • Review your supplier arrangements with data processors such as your CRM and bookings management systems and third parties such hoteliers and airlines
  • Ensure that new technology and systems are GDPR ready.

For more information on GDPR and how we can help your business, please contact Rajeev Shaunak, Head of Travel &Tourism, Partner or Chris Harris, Partner.

Get in touch with our expertsEnquire now