May 14, 2018

How Will GDPR Impact the Travel Industry?

by Malek Murison

Share this article

In recent weeks you might have received a weirdly large number of emails and notifications from companies and applications that you use, asking you to look at updated policies and privacy terms. That's not a coincidence. These moves to adjust policies and develop new codes of conduct are all designed to help companies adhere to new customer data guidelines about to come into place in the European Union.

The legislative change, known as GDPR, stands for General Data Protection Regulation. Essentially, GDPR is being introduced to better protect customers' privacy. Across the EU, GDPR aims to strengthen and unify data protection for all individuals, governing the storage, processing and sharing of customer data when it comes into effect on May 25th.

So what will this mean in practice for the travel industry?

How Will GDPR Impact the Travel Industry

Just like any other industry, travel companies handle customer data when they process bookings, register potential interest and push marketing campaigns. This data can range from everything to names, email addresses and bank details, as well as passport information and biometrics.

The purpose of GDPR is to give customers more power over where and how their personal data is stored and used. With its introduction comes a new set of regulations regarding data privacy, a fining system, a clear responsibility for organizations to obtain consent from people whose information they collect and, in some cases, a requirement for companies to create the role of a data protection officer.

This person's job will be to respond to requests about the purpose of obtaining personal data and provide a copy of all user data if needed. They will also have to set up the data deletion process, as customers have the right to be forgotten: to ask for their personal data to be removed.

GDPR focuses on two main concepts, both of which travel companies will have to get to grips with. These are Consent and Security. Customers need to give consent for their personal data to be secured, which means they need to have an awareness and an understanding of what and why their information is being stored in the first place.

Once that hurdle is navigated, companies need to protect that data adequately. Let's take a closer look.


Arguably the most significant part of GDPR regards Consent. Customers must give their express consent for their data to be used. They also have to be clear about what exactly it can be used for.

For travel companies, this offers an interesting challenge. Like any other industry, companies in the travel business often rely on mass marketing and email campaigns to draw in leads and target potential customers.

GDPR now means that express consent will need to be given for those emails to be sent out. So could this be the end of email inboxes packed with spam? Maybe. No doubt there will be travel agencies concerned that their huge mailing databases will soon be rendered useless. But in reality, it's more effective to target people who are actually interested in your products and services. Travellers are too savvy these days to take seriously anything less.


There's no doubt that travel agencies carry a lot of responsibility. They often store sensitive data, from bank details to passport information. Arguably this makes the travel industry one of the most vulnerable to data security threats.

In fact, that potential has played out in reality. A report by telecommunications giant Verizon in 2016 discovered that travel & tourism suffers the most number of cyber-attacks of any industry. So the good thing is that, in a sense, GDPR will help the industry get its act together. That's because the new regulations force all businesses to be accountable for the customer data they hold. There's no hiding or blame passing if and when things go wrong.

More established companies are bigger targets for data thieves, but they also have the resources to keep personal data secure. Every travel agency should be using encryption for data storage, for example.

What is personal data, anyway?

According to the GDPR definition, ‘personal data’ means any information relating to a person that allows them to be identified directly or indirectly. The regulation lists examples such as name, identification number, location data, or some factors specific to the physical, cultural, or social identity of that person.

From the travel industry aspect, personal data could include the following types and sources of information:

  • ID / Passport details: names, postal addresses, race, origin, biometric data;
  • Contact information: email addresses, telephone numbers;
  • Digital data: photographs and videos;
  • Sensitive data: financial and payment information;
  • HR records: current and former employee details.

Practical GDPR steps for travel companies

So how about a few practical recommendations for companies in the travel space, who are running out of time to adhere to the incoming GDPR regulations.

Think about how you're going to obtain customer consent

The first step is one of the most important. In order to be granted permission to hold and process customer information, you need to have systems in place that allow you to obtain the right kind of consent. The GDPR law makes clear the conditions for consent creation. Travel companies have to work in line with those conditions for compliance purposes.

The GDPR rules that govern how companies should obtain consent state that:

  • Consent must be freely given, specific, informed, and unambiguous.
  • Companies must present the consent in an easily accessible format, written in clear language.
  • The consent can’t be inferred from silence, visiting, and continuing to browse a website. This is important. Consent has to be actively given, never passively assumed. It also needs to be separated from other terms and conditions. The user must complete an affirmative action. The best approach is probably to create a click with an opt-in box.
  • If you gather information about users via cookies, you should give customers the opportunity to accept or reject them.
  • If a user changes their mind, they also must be able to access settings menus to update their preferences.

Another important point: Personal information collected about users for one purpose can’t be used for a different one. That would violate the whole point of informed consent.

An interesting, potentially tricky example of how consent will need to change in the world of travel is with users' email addresses. During a booking process, it's standard for customers to hand over their email addresses to receive their boarding passes or e-tickets.

With GDPR, travel companies have to ask for explicit consent again if they want to use this contact information for marketing campaigns, for example. That goes for airlines, hotels and travel agencies.

Instead of bombarding customers with consent forms and non-stop 'please tick here' boxes, the easiest way to incorporate this philosophy of unambiguous consent is to include multiple tick boxes for each type of consent you need.

Within that consent box, travel companies will have to clearly explain why they want to capture personal data, who is requesting it, and who else will have access to it.

Keeping track of the data your travel company stores

Personal information about customers has, before GDPR, been spread across a wide range of departments, from sales to marketing to loyalty. But now, it's more important than ever that travel companies know what data they have, what it's being used for and where it's being securely stored. A good way to keep on top of all of that is to organise a regular information audit.

In theory, this practice will help travel companies keep tabs on the personal data they have, why it's there, what it's being used for and how long it's going to be there for.

GDPR requires that companies communicate with their customers about the purpose and nature of data use. This level of transparency will be much easier to achieve with information audits, particularly for agencies offering sophisticated personalisation of their products.

gdpr travel companies: the right to be forgotten
Part of GDPR is a customer's right to be forgotten, to remove all of their data on a company's system.

Responding to customers' data requests

Because GDPR is all about giving the power back to customers in the personal data relationship, companies in the travel industry need to be ready to deal with data requests as and when they arise.

According to GDPR, all of a company's customers have the right to ask:

  • for a list of the data stored with them;
  • for the company to define data collection purposes and uses cases;
  • for an outline the time period for which the personal data will be stored;
  • for the company to send a copy of all their data that is held;
  • for the company to delete the data about them.

Each company is obligated to supply this information and process such requests. Some of that may be via autonomous systems and profiles, some requests may have to go through the company's data protection officer.

Dealing with data breaches

Even with the best security measures in place, it's likely that data breaches will happen at some point down the line. Dealing with these breaches in the correct manner is essential for GDPR compliance and, ultimately, customer confidence.

Travel companies need to have procedures in place to properly detect, report, and investigate any personal data breach.  GDPR also states that companies must report certain types of data breach to the Information Commissioner’s Office within 72 hours. If that breach has the potential to impact customers' rights and freedoms, the individuals concerned have to be notified as well.

Providing access to users

Another vital part of GDPR is the notion that customers have access to their data, not just control over how it is stored, processed and obtained.

GDPR states that customers have the right to receive all of their personal information from the company concerned, whether or not that personal data is processed or about to be processed.

For travel companies, this means being in a position to provide customers with access to all of their personal data, as well as details on what that data is being used for.

Making data portable

Under GDPR companies are also bound to ensure that customer data is portable. What this means is that customers can, at any time, ask for their data to be moved elsewhere - say, to an alternative service provider. The notion of portability is that this process will be expedited, provided free of charge and done in such a way that it remains compatible with other organisations.

Should travel companies be worried about GDPR?

There's no doubt that GDPR will change that way that travel companies deal with customer data in the EU. But, although there's work to be done to ensure compliance, these changes in the data landscape can also be viewed as an opportunity.

The bottom line is that, from low-cost airlines to hotels and OTAs, travellers are keen to share their personal data if they think the result will be a more personalized and efficient service.

Speaking to Travel WeeklyFarina Aam, partner at Travlaw, said that travel companies shouldn't be too concerned with the scope of GDPR. “Travel has a definite advantage over other industries because people want to hear about holidays and offers,” she said. “The main reason for the law is to stop spam and data being passed on to third parties. It’s not to stop companies contacting customers about services they have provided in the past.”

Abta’s director of legal affairs, Simon Bunce, agreed that it's not as fearsome as it may appear. “It is being portrayed as big, scary and complicated, and a lot of companies might be tempted to put it off and hope it goes away, so we need to get people engaged.”

"The ICO - The Information Commissioner’s Office (ICO) is the UK regulator tasked with enforcing GDPR - describes it as an evolution rather than a revolution and I think that’s right. Businesses should [already] have a pretty robust system in place, so they should not be starting from zero.”

GDPR in the travel industry: Final thoughts

gdpr travel industry
GDPR: It needn't be a scary process for travel companies.

There's no getting around it: GDPR is going to change the way that every company in the travel business deals with customer data. But here at Travelshift we see these changes as an opportunity rather than something to be intimidated by.

The aim of GDPR is to bring more transparency to the table when it comes to companies and their use of our data. Following high profile stories in recent times concerning the likes of Facebook and Cambridge Analytica, that sense of trust between customer and business needs some work.

Overall, GDPR has the potential to foster better relationships between travel businesses and their customers. It may seem like a hassle, but ultimately a stronger relationship will bear fruit. New value will be found in the forms of a more efficient, targeted and personalised service. Or it could be in giving customers the right to be forgotten when they want to sever that relationship.

GDPR is also about raising awareness. For years companies have profited from data, digital gold. People have a right to know where their information is being held, who it's being used by and take back control if they feel it's necessary. In the world of travel, GDPR represents an opportunity to harness data collected with consent. What's not to love about that?