The legislation has a big impact on the way travel agencies and their marketers use their proposal management and travel itinerary builder software and how organizations obtain, store, manage or process the personal data of EU citizens.

To start, we want to highlight research carried out by the HubSpot team, and unfortunately it’s not good news. Just 36% of travel agencies marketers have heard of GDPR, while 15% of travel agencies have done nothing, and are at risk of non-compliance. We would go as far to say there’s a worrying lack of action, and most companies working in the travel and tourism industry are not ready for the GDPR. However, we’re optimistic this blog post will act as a conversation starter and inspire action within the industry.

There are two important parts of the Regulation that we want to highlight:

• First up, even if you’re based outside of the EU, but you control or process the data of EU citizens, the GDPR will apply to you.
• Secondly, the potential penalties for falling foul of GDPR are severe. Depending on the type of violation, companies will incur fines of up to €20 million or 4% of their global annual revenue (whichever is greater). These big penalties show that the regulators mean business and companies cannot afford to ignore the legislation.

On a more upbeat note, we think the legislation is a positive step. It’s an opportunity for travel agencies to continue doing positive work in a way that puts people and their concerns at the forefront. It also means travel agencies will have to work harder to earn attention and gain the right to communicate with people on an ongoing basis.

But hard work won’t be enough: travel agencies will be forced to up their game and become more creative if they want to succeed. Again, we don’t see that as a bad outcome at all. Anything that gives more power to consumers and makes travel agencies marketing and selling initiatives get better is to be welcomed.

But those companies which have put their own needs ahead of consumers and indulged in shady or outbound tactics are in for a shock. Their world is going to change dramatically as the GDPR will hasten the demise of marketing and sales tactics like buying lists, cold emailing and spam.

Not only are these tactics outdated, they provide a poor experience for the recipient and they’re becoming less and less effective by the day. Inbound marketing has always been the antithesis to these tactics — it puts the consumer first and attracts them with valuable content. But now, via regulation, others are going to have to adapt their marketing playbook.

What impact will the GDPR have on my travel agency proposal and travel itinerary presentations?

You may be asking yourself, “where should I start with GDPR?”. There’s a lot to digest when it comes to the new Regulation so, to help you out, Hubspot has created a very interesting dedicated GDPR web page with a tonne of information about the GDPR, including what it is, why it came about, a glossary of terms and the most important of the changes the GDPR brings to EU data privacy legislation.

With that covered, and in order to help you better understand how to act when presenting your online proposals and your digital travel itineraries to your leads, obtained trough your inbound marketing initiatives (via website form or lead conversion landing page for example), we’re now going to work our way through the inbound marketing methodology and look at the GDPR principles you should consider at the various stages of the inbound marketing methodology.

Stage 1 – Data Collection

Transparency

The GDPR was designed to ensure that there will be more transparency between the organizations who collect and control the data (the ‘Data Controllers’) and the individuals whose personal data is being collected (the ‘Data Subjects’). This means that any organization which attracts people to its website and wants to collect data via a form must communicate clearly to that person what the data is going to be used for. The individual will need to give their consent to that use and the consent needs to be clear, in plain English or any other language used by the travel agency, and “informed, specific, unambiguous, and revocable“. Data subjects also need to be told about their right to withdraw consent.

Example: Meet Amy Meyer. She lives in Germany, has a passion for travelling, and we’re going to use her as an example throughout this post. If Amy downloads an ebook or promotional brochure from The travel With Us Company to research what options she can combine for her dream trip, The Travel With Us Company will need to make sure that they explain to Amy how they’re going to use her data.

For instance, if The travel With Us Company is planning to track Amy’s usage of its website, wants to send her more information via email, or is planning to share it with their affiliates outside the EU, they need to communicate that clearly and Amy needs to consent to that use. It won’t be sufficient for The travel With Us Company to pre-tick the box on a form to send information to Amy by email, as ‘opt-out consent’ will no longer be permitted under the GDPR.

Importantly, if The travel With Us Company decides they want to use Amy’s data for a new purpose at any point during the relationship, they’ll need consent from Amy to use the data for that new purpose. So while it’s clearly important to be transparent at the time of collection, it’s important that organizations remain open and transparent throughout the marketing and sales process, and in terms of how it manages personal data after the relationship has ended.

Data Minimisation

When an organization is collecting data from an individual in order to convert a website visitor into a lead, they must remember that, under the GDPR, they are only permitted to collect data that is adequate, relevant, and limited to what is necessary for the intended purpose of collection. Data collected by the organization which is deemed unnecessary or excessive will constitute a breach of the GDPR.

Example: The travel With Us Company created a landing page for prospects like Amy to download an ebook and a brochure on travelling experiences. Before Amy can download the ebook, she will need to complete the fields created by The travel With Us Company. It’s reasonable that they might want to collect her name, email address and even details about the project Amy is about to undertake. However, if they were to attempt to collect information about Amy’s family (for example, if she is married or how many children she has) or her health, this would be excessive as that data should not be required by a painting and decorating company.

Stage 2 – Data Storage and Processing

Purpose and Usage Limitation

Organizations can only use the data collected and stored by them for specified, explicit, and legitimate purposes. They’re not allowed to use it in any way that would be incompatible with the intended purpose for which it was collected. Also, if they plan to transfer or share the data with another company, they need to ensure they have consent from the person to do so.

Example: After Amy Meyer has downloaded the e-book or travel brochure from The travel With Us Company, Amy decides that she wants to enrol in an online course to learn more about Viewtravel for example. If the online course is being run by a third party training company on behalf of The travel With Us Company, they, The travel With Us Company will need to ensure that the training company have Amy’s consent to use the data. In addition, the training company will not be able to use the data for any other purpose other than the purposes Amy consented to.

Security

Once data is collected, the organization needs to ensure it is stored in a secure manner and in accordance with the Security provisions of the GDPR. This means they must use “appropriate technical and organizational security measures” to protect personal data against unauthorised processing and accidental loss, disclosure, access, destruction, or alteration. Depending on the type of data collected and the ways it is being used, companies may need to consider encrypting the data, using pseudonymization or anonymization methods to protect it or segregating the data from other data in their systems.

Example: Now that Amy Meyer’s data is stored in The travel With Us Company’s systems, it is the responsibility of The travel With Us Company to ensure it is kept safe and secure. Before collecting the data, The travel With Us Company should have assessed the types of data they planned to collect and work with their security team to ensure that it meets the standards of the GDPR.

These standards will differ depending on the kinds of data collected (for instance, security standards will be higher for sensitive data, biometric data or data about children) and how they’ll use that data. Only employees who need to access that data for the intended purpose have access to it and contracts with any vendors touching that data contain the relevant security protections.

Accuracy

People will now be able to ask organizations at any time to correct or update their data if the information is no longer accurate.

Example: Amy Meyer has bought some travel packages from The travel With Us Company and has also signed up to their loyalty program to receive discounts and new travel and tours ideas via email. Amy has moved to a new email service provider and wants The travel With Us Company to update her data so she receives emails to her new email address.

Accountability

The organization is responsible for ensuring they comply with their obligations under the GDPR. Not only will they need to keep records to prove compliance (for instance, records of consent for all of the data collected), they’ll also need to ensure they have policies in place governing the collection and use of that data.

They may need to appoint a data protection officer (DPO) and they’ll also need to ensure they implement a ‘Privacy by Design/Default’ policy, to ensure they’re systematically considering the potential impact that a project or initiative might have on the privacy of individuals. Controllers will have to ensure their vendor contracts are updated so that they include the necessary provisions to protect the data being processed by those vendors on their behalf.

Example: The travel With Us Company decides to run a marketing campaign targeting people like Amy, promoting a travel package presented with Viewtravel and will run a webinar on how to use Viewtravel performed by a third party training company. Before running the campaign, The travel With Us Company will need to ensure their system has the capability to not only obtain Amy’s and the other participant’s consent to all uses of their data (including sharing it with the third party), but also to record that consent. They will also need policies about how they will use that data, and ensure the contract with the training company includes the necessary provisions required in Processor contracts under Article 28 of the GDPR.

Stage 3 – End of the Relationship

Retention

Organizations may only hold on to personal data for as long as is necessary to fulfill the intended purpose of collection. So if the relationship is terminated for any reason, they need to ensure they have a data retention policy in place which outlines how long they will retain that individual’s data for and the business justification for holding on to the data for that specified period.

In drafting their retention policies, organizations will need to consider whether there is any law or regulation which obliges them to hold on to some of that data for specified periods. For example, they may need to retain some financial data for auditing purposes by law. While this is permitted, it should be outlined clearly in their retention policy and made clear to Amy. Again, the principle of transparency is important, even at this stage in the relationship.

Example: After ordering tickets from The travel With Us Company and going on the trip, Amy no longer requires the services of The travel With Us Company and closes her account with them. The travel With Us Company will need to ensure they comply with their own data retention policy if they want to hold on to any of Amy’s data after her account is closed.

Deletion

If the individual requests at any time that their data should be deleted, the data controller has to comply with that request and confirm the deletion, not only from their own systems but from any downward vendors’ systems who were processing that data on behalf of the organization.

Example: After ordering tickets from The travel With Us Company, Amy has now found out about a competitor that is offering better products and wants her data to be deleted from The travel With Us Company’s database. She sends an email to request the deletion and the company follows up quickly with the confirmation of her deletion. The company should ensure that Amy’s data is also removed from it’s vendor’s databases.

Why Travel Agencies or any other companies in the travel and tourism industry and their Marketing Departments Should Welcome the GDPR

There’s lots that organizations must do to ensure they comply with the GDPR, but we welcome it. In fact, we see three big changes coming that will boost the travel and tourism industry:

1) People’s attention will be treated with the respect it deserves.

For travel agencies marketer to succeed with GDPR, they’re going to have to focus on providing even more value to customers. This means the job of a marketer is going to get more difficult. They will have to work hard (really hard) to attract consumers and earn the right to speak with people. But they should — attention is a valuable commodity, and in truth it’s been abused by marketers over the years.

2) Greater transparency between people and the companies that hold their data.

If the GDPR is successful it will provide greater transparency and control to EU citizens over how their data is being used by organizations. Transparency is key. Today, few people see the benefits of sharing data, but they often do because they want to use a service or product. Forcing companies that collect data to become transparent means they will need to communicate and provide value to the person. We expect greater communication and transparency around data collection will lead to better understanding about why people should share data.

3) A higher bar for travel agencies marketers has been set.

Let’s not fool ourselves — the GDPR is (forcibly) raising the bar for marketers and travel agencies marketing and sales initiatives. Tactics which don’t have GDPR-compliant consent mechanisms built in will be consigned to the history books. This means travel agencies will need fresh thinking and have to innovate. The end result is that to succeed in this new reality and comply with the GDPR, we’re going to see better, more creative and thoughtful proposal management and travel itinerary builder software, and other marketing and sales tools.

We see the GDPR as a watershed moment for the travel and tourism industry. It’s rightly causing many organizations to rethink how they approach proposal management and travel itinerary building and presentation, but it’s also a huge opportunity for businesses to articulate the importance of people sharing their data and how it leads to greater personalization, better products and services, and a more efficient data economy.

For too long businesses have remained silent on this issue. A discussion is long overdue and we’re excited to help shape it.

Would you like to know more on how Viewtravel – Proposal management and travel itinerary builder software is helping the travel and tourism with their GDPR initiatives? Talk to us or request for a personalized demo.