Follow best practice to minimise negative consequences for your business, says Colin Brimson chief executive, of d-flo
The 25th May has passed and the tsunami of “reconfirm your consent” emails has finally subsided but that still leaves responsible travel businesses with the challenge of maintaining (or perhaps still achieving) GDPR compliance.
In the travel industry companies hold a lot of personal data, often over an extended period of time, so when it comes to travel communications it is particularly pertinent to consider GDPR compliance and how to follow best practice.
At the heart of best practice will be the philosophy of privacy by design, you will most likely need a technology platform to help achieve this. A strong communications platform will enable you to automate the creation of customer communications and documentation. By automating these processes you reduce user exposure to personal data and minimise the opportunity for errors.
Having automated the creation of your documents, they will need to be stored – your platform should offer secure storage, not just for internally created documents, but also for externally uploaded ones. Of course it is important to avoid retaining data longer than necessary, meaning that automated storage retention/deletion policies and processes should be implemented.
There will of course be occasions when documents need to be accessed and modified, but it is key that a complete audit trail is always maintained. In this way, should a security incident occur, it would be possible to quickly identify the event and individuals involved.
For travel customers there is always a frisson of excitement when they receive communication about a trip or their tickets arrive. Considering the personal data that accompanies a travel communication, the security of delivery is highly important. Delivery to a secure portal is a great way to achieve this and for high value trips, password protected or encrypted documents should be considered. At the very least, communications should be tracked and logged so it is always possible to audit the details of the communication such as sender, content and recipient.
One clear element of GDPR is the time limit for a subject access request – you only have 1 month in which to provide an individual with copies of all their data held by your organisation. Consider carefully how you will respond to this without interruption to your daily business – especially if multiple requests occur at the same time. Your technology platforms and solutions should make this an easy process for you. Additionally, should you experience a breach it must be reported within 72 hours and very quickly the business needs to be in a position to identify the lost data and affected individuals. Forward planning to ensure your systems can easily identify and present data selected by specific parameters is very important.
When it comes to ongoing GDPR compliant marketing you should make sure that the opportunities presented by an extended booking journey are leveraged. During the booking journey a legitimate contract exists between the travel business and customer; in order to meet that contract there will be regular communications about the trip. This enables the travel business to include upsell communications within contractual communications. Evidence shows that conversion is significantly higher for upsell offers that form part of a trip communication than with a traditional marketing activity – there is also no requirement for additional consent.
By following best practice, you will minimise the likelihood of a breach, but of course should you experience such a situation you would potentially still be liable. However with best practice process and good control over the personal data you hold, you will minimise the negative consequences for your business.