GDPR and the Travel Agent | Databasix
Airport departure board (August)

GDPR and the Travel Agent

This Month: The Travel Agent…

Welcome to the eighth article in our series of professionally-themed insights for 2019.

Each written with a specific profession or role in mind, they’re packed full of helpful ponderables, tips and advice to make the GDPR work for you in your everyday 9-5.

This month, we’re covering the need-to-knows, good-to-knows and no-nos (!) for all you Travel Agents out there.

We hope it makes your GDPR life that little bit easier.

Dear Travel Agent…

Seeing as you’re probably helping everyone else head off on their jollies, the chances are you’re still around to read this.

Which is timely because, as a Travel Agent, you deal with so much personal customer data, you’ve a whole world of GDPR info to consider – and at this time of year more than ever.

In your line of work, reputation, reliability and trust remain crucial factors for your customers. They rely on you to book their hotels, flights and other travel arrangements. They even entrust you with their bank details, passport information and vaccination history!

So, as well as the great service you provide, why not make the way you look after your customers’ data another USP for them to want to use you?

Here’s some basic guidance and gentle reminders on how best to manage your GDPR role…

GDPR Tips for the Travel Agent

You know what they say: do something good for a customer and they’ll tell about 5 people. Do something bad, however, and they’re more likely to tell 25!

So, when it comes to safeguarding people’s personal and sensitive data, it’s worth getting it right. Otherwise, they can tend to get a little, well, sensitive over it. And rightly so.

Here are some things to consider:

Remember that you’re both a data controller and a data processor.

As a Travel Agent, you really are in the midst of it all. You’ll have your own customers that book through you and use your other services (such as currency exchange) and whose personal information you control because of that direct service provider-customer link. And then there’s your other role where you’re processing your business customers’ employee details on their behalf to book airlines/train and bus companies and hotels that they go on to use.

Crucially, you need to know exactly what’s what on how best to manage these different roles – because it’s when the lines get blurred and responsibility either gets inadvertently neglected or mistakenly passed on that problems arise.

How clear are you on your different responsibilities for your data controller and processor roles?

Be clear on why you’re processing someone’s data and how much you need.

Anyone processing personal data needs a legitimate reason to do so, so it’s worth being sure of what your bases are for the processing you do as an out-and-out data processor as well as the processing contained within your data controller role.

It’s also worth checking that you’re aware of the boundaries in each case too. For instance, if you’ve been assigned to lay on a coach to pick up a travel group, then you’re going to need their names (and possibly gender) to pass on to the coach company. But that’s all. All the coach company or its driver needs is enough information to identify the right people and get them on the coach.

How legitimate is the basis and extent of your processing?

Just be careful!

Okay, this one’s so basic and so obvious, but it’s oh-so-true! We’re not even talking about having secure and robust data management storage systems or highly detailed contingency plans should things go awry.

Nope, we really are referring to the basics… like not losing someone’s passport information or emailing someone’s information to the wrong person or company. Because, trust us, it happens ?

What are the chances of you having a “Oh, ****!” moment?

Only buy in or accept data lists once you’ve carried out some proper due diligence.

Having a well-targeted data list can make such a difference to your marketing (e.g. a ready-made list of people who’ve previously expressed an interest in going to the Caribbean ahead of your Winter Sun campaign).

Of course, the caveat is how was it sourced and did those people whose personal details it contains give their consent? Because if they didn’t (or worse, they’re unaware that their information’s been passed on), you could find yourself in deeper water than those you’d hoped to send them paddling in! And you can bet with a data compliance issue hanging over you, it’s unlikely to be crystal-clear…

Do you know everything there is to know about your data lists?

You need good reason to follow-up with people and retain their details.

In the same way that you need someone’s consent to use their data, it also applies to you being able to continue to contact them. In short, you should only be following up with them for the same reason that they gave their consent in the first place – e.g. a newsletter or perhaps emailing them new season prices so that they can return to their favourite resort each year. Otherwise, you’re not playing by the GDPR rules.

Similarly, you should also be mindful of how long you’re holding onto people’s data for. Again, it should only be for as long as the original justification requires. Take the coach pick-up scenario again (from the 2nd point above) – once those passengers have been collected, by right, you have no further need to retain their details.

It’s very easy to just let people’s data sit there so that you can slowly add to it. The question is: to what end? If you’re using it to build a profile rather than deliver the service that they originally signed up for, then you really ought to think again…

When was the last time you rationalised your follow-up and retention policies?

In-the-Know… Summary

The Need-To-Knows

  • Know what’s expected of you as both a data controller and
  • You must have a legitimate basis to process someone’s data.
  • That basis also needs to be the correct one!

The Good-To-Knows

  • Having a well-honed GDPR policy could act as a great USP for your business.
  • It’s okay to keep contacting customers if it’s for the reason they initially signed up for.
  • It’s worth reviewing your customer data regularly to check whether you still need to keep it.

The No-Nos!

And whatever you do, please…

  • Don’t dismiss GDPR or not find time to take it seriously.
  • Don’t use a data list if you’ve no idea of its background.
  • Don’t put off asking for help if you need it.

Help and support is only a quick email away

If your knowledge of the GDPR equates more to a wet weekend in Skegness than a luxurious sojourn in Cannes, we can help.

We’ll gladly take you through whatever you need to make it all sunshine and smiles with your GDPR responsibilities – just get in touch.

Of course, it may not seem like a holiday to you at the time, but you’ll be glad you did… ?

Next month in GDPR and The Professional: The Recruitment Agent…

The information and remarks provided in this article represent insight and guidance for best practice which is correct or valid or appropriate at time of publication.

Latest News & Events

What Is a Data Leak and How Do They Happen?

Data leaks are a serious problem for organisations and individuals. In this day and age, individuals freely provide personal information to organisations, therefore a data leak can have a significant impact on both the company and the person. They often involve the exposure of personal data (such as name, address and financial details), with additional damage to the company or organisation in terms of potential financial loss and reputational damage.

Read more

Contact Databasix

Email info@dbxuk.com
Tel 01865 346080

Get Data Protection Services t/a Databasix
is a registered company in England & Wales.
Registration No. 15292208

Unit B Oakwood
Oakfield Industrial Estate
Eynsham
Witney
OX29 4TH

Supported by Business Resilience secured by OxLEP Business
Supported by Business Resilience secured by OxLEP Business