Trade told to act now over new data protection laws

Travel companies are being urged to act now to make sure they’re ready to comply with new data protection laws coming into force in May 2018.

In a session on cyber crime at this week’s ABTA Convention, delegates were told they risk fines of up to 4% of their global turnover if they fail to protect the data of their customers, staff and suppliers.

They also run the risk of being faced with claims if any data is compromised.

Under the new General Data Protection Regulation, claimants will no longer need to demonstrate a financial loss but can claim thousands of pounds for anxiety.

Experts warned that the incidences of hacking was expected to accelerate and pointed out that two thirds relate to small or medium-sized businesses.

Of these, a third was as a result of a member of staff opening or sending something they shouldn’t have.

ABTA itself was a victim of a cyber attack earlier this year when data relating to around 43,000 individuals – agents, operators and customers – was illegally accessed by a hacker.

Chief executive Mark Tanzer told delegates it was a very costly and complex process and said luckily ABTA had insurance.

The new new legislation, the details of which have not yet been finalised, means companies must ensure they have permission from their customers to hold their data for as long as is deemed ‘reasonable’.

It means some companies might risk not complying because they hold on to data for too long.

Companies were advised to scrutinise their cyber risk, identify weak points, test vulnerabilities, train staff to be able to recognise phishing, download the latest virus and security software and back-up data.

They should also have a clear data protection strategy in place, and also be checking that their suppliers have got a good protection policy in place.

"Have a documented process to show you’re thinking about it, talking about it, and testing it, at Board level," said Claire Mulligan, partner at international law firm Kennedys.

She said companies who fall victim will be assessed by regulators on how quickly they react, what they do, and whether there was a response plan in place.

"If you’re seen to be careless and lack lustre, you’ll get a higher fine," she warned.

Delegates were also told the new regulations would bring specific complications for the travel industry, for example in cases when a customer might be booking a holiday as a surprise for a loved one and, therefore, sharing their data without their permission.

Travel companies also often hold particularly sensitive data, such as passport details, dates of birth and credit card details, all of which would incur higher fines in cases of a breach.

"Make sure you have consent to hold and use the data – a person has to actively affirm that you can keep it – and look at how and why you have the data and what you are doing with it," added Mulligan.

For more information on the regulations, there is an overview on the ICO website.