A few days ago, a sharply dressed gentlemen walked into the office here at Blue Star. He was asking about GDPR and how it related to his travel agency.

Before you read on…watch our GDPR webinar recording.

Now, for those of you that are new to compliance with European laws, GDPR stands for General Data Protection Regulation. It’s a set of laws that have been put in place in the European Union on April 14th 2016 and are set to be enforced on May 25th, 2018.

Our visitor’s question was, “We are a travel agency that manages a lot of corporate travel. Our corporate accounts are headquartered in the U.S., but some have a few employees in Europe. How does GDPR affect us?”

Because the Blue Star staff has been getting our clients ready for the GDPR enforcement date since the enactment of the legislation back in 2016, it wasn’t difficult to get this business leader up to speed on what he and his travel agency business needed to do to become compliant.

The first thing we made clear to Dave Tragec – by this time we had learned his name – is that we aren’t lawyers. The Blue Star team handles the data security side of the GDPR compliance equation for our clients. Fortunately for Dave, the Blue Star team also supports a few law firms that have in-depth knowledge of the GDPR legislation. We gave him a few business cards of people we knew could help him with any nuanced legal questions he might have, and then began to get him up to speed on the basics of data protection.

GDPR Has Six Principles Your Travel Agency Needs To Know About.

First, let’s look at how they appear in the legislation. The GDPR states: (quotation from legislation)

Personal data shall be:

  1. processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
  2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);
  3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimization’);
  4. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
  5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
  6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures (‘integrity and confidentiality’).

The Six Principles Of Data Protection Set Out By The GDPR Make The Following Demands Of Indiana And Michigan Travel Agencies

Before we get into explaining what each principle means for your travel agency, we should make note that the GDPR impacts ONLY the information (data) gathered from people within the EU. (The United Kingdom is enacting similar legislation so data gathered from the UK should be treated in the same manner as EU-sourced data)

The simplest thing for a USA based company to do is to segment its data collection, management, and processing into EU and NOT EU “buckets.” The EU data “bucket” is subject to the following GDPR principles.

Note: NONE of your current data is grandfathered under GDPR. To use data gathered from EU-based individuals for ANY purpose other than what the owner of the data gave consent is not allowed. You must contact the individual and gain their consent for any additional “processing” (use) of their data.

Principle #1 – “lawfully, fairly and in a transparent manner”

Principle #1 requires your travel agency to be up-front with EU residents about what they are “signing up for” when they give you their data and puts the responsibility of the fair and lawful use of their data on the company that is collecting that data.

Principle #2 – “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes”

Principle #2 makes it clear that a travel agency such as yours can only use the data collected in a way that is consistent with the specific consent given by the owner of that information.

Principle #3 – “adequate, relevant and limited to what is necessary in relation to the purposes”

Principle #3 demands that companies here in Indiana and Michigan that do business with EU residents cannot collect more data than what is absolutely necessary to accomplish the “purpose” for which the individual is giving the data to the company.

Principle #4 – “accurate and, where necessary, kept up to date”

Principle #4 requires that companies ensure that they keep accurate records of data collected.

Principle #5 – “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes”

Principle #5 concerns itself with how long data is kept. Data that does not identify the person it came from (such as a blind survey) is okay to be kept without limit, but data that can be traced back to a specific individual must be deleted once the “purpose” (usually a transaction or subscription of some sort) for which the owner of the information gave consent is accomplished.

Principle #6 – “processed in a manner that ensures appropriate security of the personal data”

Principle #6 requires that travel agencies that do business with anyone living in the EU have data security protocols in place that ensure the protection of that data. Any breaches of the data sourced from EU individuals that is compromised by hackers, internal IT theft, or industrial espionage can leave the company that collected that data subject to penalties and stiff fines under the GDPR.

How Does The Blue Star Team Help Travel Agencies Become GDPR Compliant?

  • Our IT consultants work with agencies like yours to determine if your data needs to be segmented between EU and NOT EU data streams.
  • Our IT consultants help you set up data collection (and deletion) for marketing and transactions with EU individuals that is consistent with GDPR principles.
  • Our IT security professionals ensure that the data you collect from EU individuals is protected with the latest cybersecurity strategies and protocols.

Looking for more informative and helpful articles by Blue Star? We have them for you HERE.

Published on 18th May 2018 by Jon Morningstar

CyberSecurity Must-Do Checklist For Businesses

Download Our Free eBook.

book
Enter your Information Below and We Will Send Directly To You

Blue Star respects your privacy. We will not sell or share your personal information.

Make The Change To Michiana's Most Trusted IT and Computer Services Company

Looking to implement a new line of business applications or replace an old server? With our approach to IT project delivery, we help prevent scope creep and keep budgets in line with budgeted project costs.

Call us today at (574) 975-0767 or email info@bluestarpro.com. Stay social, Follow us!