Q: In a recent Legal Briefs column ("Sorting out the intricacies of the EU's new data-protection rules," March 26), you wrote about the European Union's new General Data Protection Regulation (GDPR) that takes effect on May 25. In a nutshell, you wrote that the rules would apply to my U.S. agency only if we do two things: specifically target travelers in EU countries and collect personal data about them. We are indeed planning a marketing campaign, and we may target EU citizens, so what exactly will we have to do to comply?A:
The GDPR makes you legally accountable for what happens to the personal data that you receive.
The definition of "personal data" covers just about every piece of client information that a travel agency or other travel business gets: "'Personal data' means any information relating to an identified or identifiable natural person ... an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person."
Since you may be getting personal data from EU individuals you are going to target, you have to do these things:
First, make sure all of your staff is aware that personal data must be protected. Have them sign confidentiality agreements or policy statements, and prohibit transfer of personal data out of your office unless specifically authorized by a contract with a data processor.
Second, you must adopt a formal data security policy and train your staff to follow it. Such a policy would be similar to Payment Card Industry standards for credit cards: Don't store sensitive data in hard copy; encrypt the data in software and dispose of unnecessary data, among other steps.
Third, you have to conduct an audit to establish and record what personal data you hold; where, when and how it was obtained; its source; who it is shared with; the purposes for which it is (and will be) processed and applicable security measures. You have to write all this down because you have to make it available to individuals who request it and to government authorities.
Fourth, you have to obtain consent from the individuals to collect their data for marketing purposes. While you don't have to obtain consent to gather data to make travel arrangements, you do need written consent to solicit them using personal data. You also need to keep a record of each person's consent.
Fifth, you have to post a privacy notice that complies with up to 17 requirements in the rules, but it also must be concise, transparent, intelligible, easily accessible and in "clear and plain language." I haven't yet seen a GDPR-compliant privacy notice for a travel agency. If a reader knows of one, let me know, and I will provide a link in a future column.
Sixth, and hardest of all, you must have an agreement with every data processor, including every travel supplier, stating that the travel supplier agrees to follow the same rules. Otherwise, if the supplier violates the rules, you could be held liable, as strange as that sounds.
I realize that the average travel agency has no way of forcing a large travel supplier to agree to anything, but perhaps ARC will lead the way by adding an addendum to the standard agreement for agencies.
Seventh, if an individual asks what data you have about him or her, you must reveal it. If the individual asks you to delete it, you must do so.