What impact will the GDPR have on my travel agency proposal and travel itinerary presentations?
You may be asking yourself, “where should I start with GDPR?”. There’s a lot to digest when it comes to the new Regulation so, to help you out, Hubspot has created a very interesting dedicated GDPR web page with a tonne of information about the GDPR, including what it is, why it came about, a glossary of terms and the most important of the changes the GDPR brings to EU data privacy legislation.
With that covered, and in order to help you better understand how to act when presenting your online proposals and your digital travel itineraries to your leads, obtained trough your inbound marketing initiatives (via website form or lead conversion landing page for example), we’re now going to work our way through the inbound marketing methodology and look at the GDPR principles you should consider at the various stages of the inbound marketing methodology.
Stage 1 – Data Collection
The GDPR was designed to ensure that there will be more transparency between the organizations who collect and control the data (the ‘Data Controllers’) and the individuals whose personal data is being collected (the ‘Data Subjects’). This means that any organization which attracts people to its website and wants to collect data via a form must communicate clearly to that person what the data is going to be used for. The individual will need to give their consent to that use and the consent needs to be clear, in plain English or any other language used by the travel agency, and “informed, specific, unambiguous, and revocable“. Data subjects also need to be told about their right to withdraw consent.
Example: Meet Amy Meyer. She lives in Germany, has a passion for travelling, and we’re going to use her as an example throughout this post. If Amy downloads an ebook or promotional brochure from The travel With Us Company to research what options she can combine for her dream trip, The Travel With Us Company will need to make sure that they explain to Amy how they’re going to use her data.
For instance, if The travel With Us Company is planning to track Amy’s usage of its website, wants to send her more information via email, or is planning to share it with their affiliates outside the EU, they need to communicate that clearly and Amy needs to consent to that use. It won’t be sufficient for The travel With Us Company to pre-tick the box on a form to send information to Amy by email, as ‘opt-out consent’ will no longer be permitted under the GDPR.
Importantly, if The travel With Us Company decides they want to use Amy’s data for a new purpose at any point during the relationship, they’ll need consent from Amy to use the data for that new purpose. So while it’s clearly important to be transparent at the time of collection, it’s important that organizations remain open and transparent throughout the marketing and sales process, and in terms of how it manages personal data after the relationship has ended.
When an organization is collecting data from an individual in order to convert a website visitor into a lead, they must remember that, under the GDPR, they are only permitted to collect data that is adequate, relevant, and limited to what is necessary for the intended purpose of collection. Data collected by the organization which is deemed unnecessary or excessive will constitute a breach of the GDPR.
Example: The travel With Us Company created a landing page for prospects like Amy to download an ebook and a brochure on travelling experiences. Before Amy can download the ebook, she will need to complete the fields created by The travel With Us Company. It’s reasonable that they might want to collect her name, email address and even details about the project Amy is about to undertake. However, if they were to attempt to collect information about Amy’s family (for example, if she is married or how many children she has) or her health, this would be excessive as that data should not be required by a painting and decorating company.
Stage 2 – Data Storage and Processing
Purpose and Usage Limitation
Organizations can only use the data collected and stored by them for specified, explicit, and legitimate purposes. They’re not allowed to use it in any way that would be incompatible with the intended purpose for which it was collected. Also, if they plan to transfer or share the data with another company, they need to ensure they have consent from the person to do so.
Example: After Amy Meyer has downloaded the e-book or travel brochure from The travel With Us Company, Amy decides that she wants to enrol in an online course to learn more about Viewtravel for example. If the online course is being run by a third party training company on behalf of The travel With Us Company, they, The travel With Us Company will need to ensure that the training company have Amy’s consent to use the data. In addition, the training company will not be able to use the data for any other purpose other than the purposes Amy consented to.
Once data is collected, the organization needs to ensure it is stored in a secure manner and in accordance with the Security provisions of the GDPR. This means they must use “appropriate technical and organizational security measures” to protect personal data against unauthorised processing and accidental loss, disclosure, access, destruction, or alteration. Depending on the type of data collected and the ways it is being used, companies may need to consider encrypting the data, using pseudonymization or anonymization methods to protect it or segregating the data from other data in their systems.
Example: Now that Amy Meyer’s data is stored in The travel With Us Company’s systems, it is the responsibility of The travel With Us Company to ensure it is kept safe and secure. Before collecting the data, The travel With Us Company should have assessed the types of data they planned to collect and work with their security team to ensure that it meets the standards of the GDPR.
These standards will differ depending on the kinds of data collected (for instance, security standards will be higher for sensitive data, biometric data or data about children) and how they’ll use that data. Only employees who need to access that data for the intended purpose have access to it and contracts with any vendors touching that data contain the relevant security protections.
People will now be able to ask organizations at any time to correct or update their data if the information is no longer accurate.
Example: Amy Meyer has bought some travel packages from The travel With Us Company and has also signed up to their loyalty program to receive discounts and new travel and tours ideas via email. Amy has moved to a new email service provider and wants The travel With Us Company to update her data so she receives emails to her new email address.
The organization is responsible for ensuring they comply with their obligations under the GDPR. Not only will they need to keep records to prove compliance (for instance, records of consent for all of the data collected), they’ll also need to ensure they have policies in place governing the collection and use of that data.
They may need to appoint a data protection officer (DPO) and they’ll also need to ensure they implement a ‘Privacy by Design/Default’ policy, to ensure they’re systematically considering the potential impact that a project or initiative might have on the privacy of individuals. Controllers will have to ensure their vendor contracts are updated so that they include the necessary provisions to protect the data being processed by those vendors on their behalf.
Example: The travel With Us Company decides to run a marketing campaign targeting people like Amy, promoting a travel package presented with Viewtravel and will run a webinar on how to use Viewtravel performed by a third party training company. Before running the campaign, The travel With Us Company will need to ensure their system has the capability to not only obtain Amy’s and the other participant’s consent to all uses of their data (including sharing it with the third party), but also to record that consent. They will also need policies about how they will use that data, and ensure the contract with the training company includes the necessary provisions required in Processor contracts under Article 28 of the GDPR.
Stage 3 – End of the Relationship
Organizations may only hold on to personal data for as long as is necessary to fulfill the intended purpose of collection. So if the relationship is terminated for any reason, they need to ensure they have a data retention policy in place which outlines how long they will retain that individual’s data for and the business justification for holding on to the data for that specified period.
In drafting their retention policies, organizations will need to consider whether there is any law or regulation which obliges them to hold on to some of that data for specified periods. For example, they may need to retain some financial data for auditing purposes by law. While this is permitted, it should be outlined clearly in their retention policy and made clear to Amy. Again, the principle of transparency is important, even at this stage in the relationship.
Example: After ordering tickets from The travel With Us Company and going on the trip, Amy no longer requires the services of The travel With Us Company and closes her account with them. The travel With Us Company will need to ensure they comply with their own data retention policy if they want to hold on to any of Amy’s data after her account is closed.
If the individual requests at any time that their data should be deleted, the data controller has to comply with that request and confirm the deletion, not only from their own systems but from any downward vendors’ systems who were processing that data on behalf of the organization.
Example: After ordering tickets from The travel With Us Company, Amy has now found out about a competitor that is offering better products and wants her data to be deleted from The travel With Us Company’s database. She sends an email to request the deletion and the company follows up quickly with the confirmation of her deletion. The company should ensure that Amy’s data is also removed from it’s vendor’s databases.
Why Travel Agencies or any other companies in the travel and tourism industry and their Marketing Departments Should Welcome the GDPR
There’s lots that organizations must do to ensure they comply with the GDPR, but we welcome it. In fact, we see three big changes coming that will boost the travel and tourism industry:
1) People’s attention will be treated with the respect it deserves.
For travel agencies marketer to succeed with GDPR, they’re going to have to focus on providing even more value to customers. This means the job of a marketer is going to get more difficult. They will have to work hard (really hard) to attract consumers and earn the right to speak with people. But they should — attention is a valuable commodity, and in truth it’s been abused by marketers over the years.
2) Greater transparency between people and the companies that hold their data.
If the GDPR is successful it will provide greater transparency and control to EU citizens over how their data is being used by organizations. Transparency is key. Today, few people see the benefits of sharing data, but they often do because they want to use a service or product. Forcing companies that collect data to become transparent means they will need to communicate and provide value to the person. We expect greater communication and transparency around data collection will lead to better understanding about why people should share data.
3) A higher bar for travel agencies marketers has been set.
Let’s not fool ourselves — the GDPR is (forcibly) raising the bar for marketers and travel agencies marketing and sales initiatives. Tactics which don’t have GDPR-compliant consent mechanisms built in will be consigned to the history books. This means travel agencies will need fresh thinking and have to innovate. The end result is that to succeed in this new reality and comply with the GDPR, we’re going to see better, more creative and thoughtful proposal management and travel itinerary builder software, and other marketing and sales tools.
We see the GDPR as a watershed moment for the travel and tourism industry. It’s rightly causing many organizations to rethink how they approach proposal management and travel itinerary building and presentation, but it’s also a huge opportunity for businesses to articulate the importance of people sharing their data and how it leads to greater personalization, better products and services, and a more efficient data economy.
For too long businesses have remained silent on this issue. A discussion is long overdue and we’re excited to help shape it.
Would you like to know more on how Viewtravel – Proposal management and travel itinerary builder software is helping the travel and tourism with their GDPR initiatives? Talk to us or request for a personalized demo.