Skip to content



The data privacy and associated concerns of your clients are ultimately YOUR concerns, and this article is meant to help simplify a monumental shift coming your way as it relates to handling personal information, including payments.  Payments are pretty important to most businesses, so buckle up for a different sort of ride this time.

It’s no surprise that more regulation is coming designed to protect consumers and their personal information.  Given the huge issues Target and Equifax faced for their massive data breaches, it was only a matter of time before new regulations came out for travel.  And a big one is almost here.  Update:  at the publishing of this post, Orbitz announced a “data security” incident had occurred in which approximately 880,000 cards were affected.

On the 25th of May 2018, GDPR goes into effect.

GDPR or General Data Protection Regulation has been established by the European Union to better protect individual’s personal information such as name, email, account numbers, online activity, medical data, and more from internet hackers.

In my conversations with suppliers and agents, few know much about this new regulation or have started to take action to avoid penalties. In this post, I’m going to provide some background on the regulation, the penalties for non-compliance and some of the points you need to be aware of when it comes to collecting and handling personal data.


Nearly everything we do online involves sharing of some type of personal data.  And the old rules and regulations haven’t kept up with the current state of the world.  Given this, new guidelines are being brought into effect as a means of empowering consumers by forcing companies to become transparent in how they are collecting, storing and sharing their customers’ personal information.  In short, there needs to be more control of how organizations are collecting and holding sensitive data.

And personal information, under the new regulation, includes any details related to a natural person or “Data Subject,” that can be used to directly or indirectly identify the individual.


It’s true this regulation started with the EU and GDPR applies to organizations located within the European Union.  However, it also applies to all companies “processing and holding the personal data of data subjects residing in the EU, regardless of the company’s location.”

In other words, if you’re a travel agent with clients who live in the European Union, GDPR will impact you and your business, and you can be rest assured similar regulations are coming to the U.S. soon enough.

So, you might as well deal with compliance today rather than pay the price with debilitating fines and damage to your business reputation.

As TechCrunch has reported, Internet giant Facebook (a US company) which handles massive amounts of Europeans’ personal data, for example — is going to have to rework multiple business processes to comply with the new rules. And in fact, this has been a major focus within the organization for some time.


The penalties that may be imposed on an organization can be steep. Violations such as not reporting a data breach or failure to implement appropriate technical and organizational safety measures can result in fines up to 4% of annual global turnover or €20 million (whichever is greater). Given this, it makes sense to understand where your organization might be at risk.


For many organizations, they will need to take a close look at how they are collecting data and what they are doing with the data once in their possession.  Below are some of the points organizations will need to consider under this new regulation

  • Customer consent must be given before the collection or processing of personal information.
  • All personal data will need to be collected, processed and stored in ways that are safe, secure and ensures confidentiality.
  • Developments, practices, and policies about how personal data is handled should be readily available including who has access to it, how it’s being used, and what measures are in place to protect it.
  • Collectors and processors are responsible for taking adequate measures for keeping accurate and up-to-date records. After data is no longer necessary or applicable, it must be deleted or destroyed in a secure and timely manner.



In terms of getting started and where to go for more help on this topic, a new industry has sprung up to help travel companies.  One firm that I have talked with and has a solid handle on all the complexities is Caveau.   They specialize in the travel distribution space and are offering simple solutions to deliver the compliance you need to cope with your client’s personal information and credit card security.   Worth looking into if you are exposed to this increased responsibility and risk come the end of May.  A quick search on Google will take you to others.  Also, here’s a helpful  link to the 16 steps you can take right now to prepare you for General Data Protection Regulation.

So like it or not, GDPR is coming.  And the sooner you can make the adjustments to your business the better off you will be. Your organization will be protected from unnecessary risk and possible violations…and secure data management is a point to help you differentiate your brand from others not following compliance.


Leave a Reply