You might have already heard of GDPR, or the General Data Protection Regulation - a European regulation that was already adopted in 2016, but will be effective from May 25th on.
There is a lot of talk/rumors about this regulation, so we at TrekkSoft want to give you an update on what GDPR exactly means and how it will affect your tour & activity business.
What is GDPR?
The first goal of the General Data Protection Regulation (GDPR) is to have a uniform standardization of the privacy law within the EU. GDPR applies to all organizations that process and store personal data of EU citizens. So if your company is not based in the European Union, but you deal with personal data of EU citizens, GDPR affects you as well.
The second goal of GDPR is that any action that a company undertakes involving processing personal data must be done with data protection and privacy in mind at every step. Though this, end users should have better control over their own data. They should also know what’s going to happen with their data if they give you consent to use it for a certain purpose. Something that many people, including you, would appreciate to know when entering data in a website’s form, right?
But what exactly is personal data? Personal data in this sense means all information related to an identified person (data subject), i.e. name, email address, phone number, birth date, cookies, IP address, bank account data, etc.
Why does GDPR matter to tour and activity providers?
As a tour and activity provider, you collect and store personal data of your customers, i.e. with cookies on your website, with a new tour & activity booking or request, or via your newsletter subscription form.
GDPR provides extra protection for data subjects (i.e. your customers/attendees) and stricter requirements in terms of data collection and storage. That means that all providers dealing with personal data have to clearly describe what, how, why, where, and when personal data is used and processed.
Watch out: If you ignore the GDPR requirements, you may risk huge fines of up to €20 million or 4% of your global annual revenue (whichever is greater). These big penalties show that any company shouldn’t even think of disregarding the GDPR legislation.
But don’t panic! There is still some time to become GDPR compliant. We’ve compiled the most important aspects for tour and activity providers in a clear GDPR checklist. Let’s have a look!
Our GDPR checklist for tour & activity providers
For the next couple of weeks, make GDPR a top priority task for your company and your team.
1. Identify your personal data processing practices (accord. Art. 30 GDPR):
- What data you process
- How you process it, why (purpose) and where
- Who can access it within your team and third party providers (i.e. email software provider), etc.
- Not only think about your customers’ data, but also your employees’ data.
3. Check your website forms. Do they contain a consent checkbox?
You need to ask your contacts if it’s OK to process their personal data and clearly describe for what purpose you will use it. By ticking the consent checkbox, people agree to the collection of their data. But additionally every user must have the option to opt-out as easily as opt-in (right to withdraw). So make sure you integrate an unsubscribe link in your communication emails to give them this option at any time.
Below are two examples of how you can ask your customers for consent
Example 1: User custom field (checkbox):
Example 2: User custom field (radio buttons):
You also need to make it clear on any newsletters how customers can update their preferences or unsubscribe from future contact. An 'unsubscribe' link should be displayed at the top or bottom of the email form.
Here is an example of what we use at TrekkSoft:
4. Prepare a risk management for your company (or ask your data protection officer to do so).
Do you have procedures in place to handle requests from data subjects to modify, delete or access their personal data
5. Train your team about GDPR.
GDPR affects everyone at the company, not only the business owner. So make sure that everyone in your team knows what it means and what measurements your company is taking to become compliant.
Many companies within the tour & activity industry will be affected by GDPR. Maybe you started with GDPR, but are still struggling with what you have to do? Consult an expert to help you out!
What are benefits of GDPR?
We’ve talked a lot about the regulations and requirements of GDPR. Does it sound like a lot of work for your tour & activity company? It’s a bit of work, but let’s also highlight the benefits of GDPR for your tour & activity company.
If your company is compliant with GDPR, it means that guests are more likely to book with you than with any other “untrustworthy” tour operator. Website visitors can directly see if you are compliant with the new regulation or not.
Additionally, GDPR gives more power to consumers. It puts the consumer first and gives him or her more transparency about his/her data usage. And who does not want to know exactly what is happening with their own data?
If you have any queries about GDPR at TrekkSoft contact our DPO (Data Protection Officer) Katja Schröppel by email at firstname.lastname@example.org.
Please note that this information provides background information to help you better understand GDPR. It is not legal advice, so you should not rely on this as legal advice, or as a recommendation of any particular legal understanding. If you need more information on how to implement GDPR within your company, we recommend consulting a lawyer.