It starts with GDPR
The General Data Protection Regulation (GDPR) 2016 is an EU regulation which was enacted into UK law through the Data Protection Act (DPA) 2018. Before Brexit the GDPR had direct effect in the UK, but since Brexit the DPA has effectively imported it into UK domestic law, the so called ‘UK GDPR’. (For brevity I will refer to both UK and EU versions as ‘GDPR’ unless otherwise stated.)
- Who is collecting and ‘controlling’ the data, and give their contact details.
- The intended purposes and legal basis for the processing of the data, such as the customer’s consent.
- What categories of personal data will be collected and processed.
- The fact that you intend to transfer the data outside of the country, who you are sharing it with and the legal basis for doing this.
- How long you will store the customer data.
- The individual’s rights over their data, including the right to withdraw their consent.
All of these are requirements under GDPR, and it should all be explained accurately and in plain English so that customers can understand what is happening to their data.
The point about transferring customer data is crucial for travel businesses which will very often be sending personal data to suppliers abroad. This is known as making a ‘restricted transfer’ and it is important to ensure that you are doing it with the right authorisations and safeguards. See our library of articles, including this one, for more on the requirements for data transfers.
Every organisation that handles data about identifiable individuals, such as their customers, needs to show what it is doing to comply with GDPR, and make its policy available to customers and the UK’s independent body set up to uphold information rights, the Information Commissioner’s Office (ICO). Travel businesses typically handle a lot of customer data, from names and addresses through to more sensitive data like passport information, and the protected ‘Special Categories’ of data like dietary requirements, race and ethnicity, and health. Travel businesses, by their nature, are likely to be sending this information abroad in order to make reservations, so it is all the more important to ensure that you are handling data correctly, and also have the right agreements in place for international data transfers.
It is also worth mentioning that organisations and individuals which process personal data (with certain exemptions) need to register with the ICO and pay an annual fee. See the ICO website to check whether you need to pay a fee and how to register
or any of the Commercial Team on
if you have any questions or need advice on handling data in your business.
This article was originally published on: 7 August 2023