One of the biggest challenges for travel companies in 2020 will be instilling a sense of trust in their customers. Scepticism around data privacy has been on the increase since GDPR came into effect. It seems that as consumer awareness of how companies use personal data grows, so does mistrust in the organisation’s commitment to protect it.
A study by Deloitte - GDPR 6 months on, found that 55% of respondents from the EU had actually become more cautious of sharing their data, since the legislation was rolled out.
It’s unlikely that public confidence has grown since, with hacking scandals making headlines months after the regulations came into place. Travel companies, airlines and hotels are especially at risk, in no small part because of the quantity of personal data that consumers need to part with in order to make a booking.
In 2019, the UK ICO fined British Airways a record £177 million (approx.) after a website breach the previous year. Data had been compromised due to BA having taken insufficient security measures to protect its customers. Information Commissioner Elizabeth Denham summed up the public mood by stating, "people's personal data is just that - personal. When an organisation fails to protect it from loss, damage or theft, it is more than an inconvenience”.
As awareness of non-compliance grows, public tolerance for these types of privacy breaches will sharply decline. Companies may have been afforded a grace period after the initial implementation of GDPR, but consumer patience has definitely run out. Organisations can ill-afford to be dismissive of the ICO’s penalties. In November 2018 Marriott International confirmed that hackers had stolen guest records of 339 million customers, including passport numbers, dates of birth and credit card details. The ICO fined the hotel chain £95 million (approx.), and the response from Marriott Chief Executive Officer Arne Sorenson was defensive: “We are disappointed with this notice of intent from the ICO, which we will contest.”
Travel companies would be wise to consider that financial penalties are not the only issue to contend with. While the maximum ICO fine stands at a huge 4% of the total annual worldwide turnover of the preceding financial year, the effects of a security scandal on customer loyalty can have even longer standing implications. With this in mind it’s vital that companies get pro-active when dealing with data protection.
3 Ways to get Ahead of the Hackers:
1. Consult an expert – A surprising number of companies don’t have the infrastructure to implement system changes securely, let alone employ an in-house DPO. The best solution is to outsource to a consultancy firm which can provide the necessary expertise to ensure your IT department is compliant with all regulations.
2. Don’t wait to be discredited – It’s important to remember that even if your system hasn’t been hacked, you can still be investigated and fined for non-compliance by the ICO. Planning ahead means you can ensure your company is taking the correct measures to mitigate potential risks.
3. Treat data with respect – The days of viewing customer data as a company asset are long gone. Taking data protection seriously and communicating to online users that it’s a priority for your organisation, is an essential step in delivering a trustworthy transaction.
If you are looking to outsource your data protection, then theICEway ecosystem of companies can help. The CRIBB Cyber Security brand offers a number of products and services designed to help you increase your cyber resilience, including Data Protection Officer consultancy, Cyber Essentials and Cyber Essentials Plus accreditation. Get in touch to find out more…
GDPR – The General Data Protection Regulation (EU) 2016/679, a regulation in EU law on privacy and data protection which also addresses personal data transfers
ICO – Information Commissioner’s Office; a non-departmental public body sponsored by the Department for Digital, Culture, Media and Sport, the ICO reports directly to Parliament in the UK
DPO – Data Protection Officer; the DPO must act in an independent manner and ensure that organisations apply laws protecting personal data
Cyber Essentials / Cyber Essentials Plus – Cyber Essentials is a Government-backed, industry-supported scheme that helps organisations to guard themselves against cyber-attacks and threats and to demonstrate their overall commitment to cyber security
If you are unsure of your own level of compliance with GDPR, CRIBB Cyber Security’s qualified, approved consultants can help. We can also help you to understand what you need to do to comply with all other Data Protection regulations, simply contact us today to get started!