Securing business data

Blog Item

The journey to compliance: What does GDPR mean if you operate within the travel sector?

shutterstock_324132068The European Union’s General Data Protection Regulation (GDPR) will come into effect and be enforceable from 25th May 2018, and the enhanced data protection regulation contained within it could have far reaching implications for UK businesses, particularly those in the travel sector.

For the avoidance of doubt, Brexit will have no impact on UK adoption of the regulation. Quite apart from the fact that the UK will still be a part of the EU when it comes into force, the Data Protection Bill before parliament implements GDPR in full, meaning that the provisions of GDPR will still apply after Brexit.

GDPR is essentially an extension of the principles enshrined in existing UK data protection regulation, meaning that companies already taking care of their customers’ data should have little to worry about. However, there are some new rights & obligations, not to mention enhanced enforcement provisions,  that businesses should ensure they are aware of. And if you are a business not taking good care of your customers’ data, now is the time to get it right.

GDPR applies to data controllers (who determine the reason for processing, and how data is processed) and processors (who process the data on behalf of a controller). Note that as a controller you have a duty to ensure that processors provide “sufficient guarantees” on compliance, which can be a particular challenge for companies with extensive supply chains, like TMCs. GDPR applies to personal data (which can now be quite wide reaching, including location data, ID numbers and so on) and sensitive personal data (expanded to include genetic and biometric data)

GDPR demands a legitimate basis for processing personal data. There are many possible legitimate bases for processing, including legal obligations, performance of a contract and others, but perhaps the most controversial basis is consent. A much higher standard for consent is set in GDPR, and as consent must be informed, explicit, active  and specific many companies may have to review their consent provisions, particularly for marketing purposes.

GDPR also enhances personal rights, adding three new rights (right to restriction, right to erasure, right to data portability) to the existing rights in the current Data Protection Act (the right to be informed, the right of access, right of rectification, right to object, and rights regarding automated processing (e.g. appealing automated credit decisions)). Companies must make sure that they can respond to these individual rights requests, and that issues like data retention are addressed.

Breach reporting is also much enhanced, with all processors and controllers obliged to report breaches within 72 hours, and fines of up to €20m or 4% of global turnover.

Essentially, data protection legislation has just grown up, and the GDPR principle of Accountability requires that companies document and demonstrate compliance. UK companies, and TMCs in particular, need to take this seriously. That said, well run companies who look after their customers’ data should find GDPR a logical extension of their current activities. For companies with any concerns, a map of personal data in the organisation is a must have as a starting position, and TMCs in particular should carefully risk assess and engage their supply chain in GDPR compliance conversations as soon as possible.

Author: Kevin Dowd

Job Title: CNS Group Chairman (& expert in all things cyber security)

About Me:
As Chairman of the CNS Group I have a long standing within the IT Security industry, as such I have worked in many different areas; as a CLAS Consultant, PCI DSS QSA & former CHECK Team leader. Having moved from Natwest to start CNS over 20 years ago, I was instrumental in starting the CNS Security Practice, at a point when the cyber security industry was in its infancy. Now responsible for development of the Compliance tool set as well as the Assessment and Audit team, I lead from the coal face which ensures that I understands the challenges facing our entire spectrum of customers. By doing this, I can design the most effective & pragmatic ways for them to gain the assurance they need. 


If you would like to talk to me about achieving GDPR compliance before the deadline, please CLICK HERE 

call us

Get in touch

Talk to our experts today +44 (0) 20 7592 8800

Send us a message

We'll get back to you Send us a message

Connect with us

See what we're saying elsewhere