As with many industries, data gathering has revolutionised the way transport companies do business. There are now countless ways in which customers can personalise their travel options – be it through tracking technology, online booking or data analytics.
However, with the EU General Data Protection Regulation (GDPR) taking effect in May 2018, organisations need to be careful about the way they use data processing technology. Although the Regulation isn’t intended to curb the benefits that such tools can provide, it will crack down on any information that is obtained illegitimately, used for purposes other than those that have been agreed upon, or not properly secured.
Any company that fails to comply with the GDPR could face fines of up to €20 million or 4% of its annual global turnover – whichever is greater. If you fall under the scope of the Regulation, you must comply.
Here are some steps you can take to help you prepare for the GDPR:
Appoint a DPO
According to an International Association of Privacy Professionals (IAPP) study, about half of large transport companies will be required to appoint a data protection officer (DPO). Many other organisations might choose to appoint one anyway.
A DPO is responsible for a wide variety of tasks, such as educating the company and employees on important compliance requirements, training staff who are involved in data processing, conducting audits and serving as a point of contact between the company and its supervisory authority. They are required to report to the highest management level at the organisation and, in turn, they should be provided with adequate resources to meet their obligations.
Review data collection practices
Given the concerns over obtaining consent under the GDPR, it’s important to review your data collection practices and see whether you’re using the most appropriate legal ground. Any organisation that can’t establish a legal ground for processing data won’t be able to contact its customers.
If you have no option other than obtaining consent, be sure that your requests meet the requirements of the GDPR.
Create targeted marketing campaigns
If you wish to obtain consent, highly targeted marketing campaigns are the best place to start, according to Scott Logie, managing director of REaD Group. “Travel companies should segment their customer database into smaller groups of people based on their interests, favourite destinations and budgets. The information can then be used to devise personal offers, and ensure a relevant and appropriate stream of contact with customers,” he writes.
“In the long run, a more concise database consisting of customers who are receptive will be much more profitable than a larger selection of people who unknowingly consented […] Whilst it may require a drastic change in approach, if navigated effectively this could be an extremely profitable time for travel companies.”
Prepare for the GDPR
If your organisation is currently preparing for the Regulation, or if you are looking to understand it and to demonstrate the depth of your knowledge of it, you should undertake a GDPR training course. IT Governance offers courses delivered by GDPR experts, which are available in both classroom and distance learning formats.
Depending on your level of knowledge, you may be interested in:
Book these courses together in our Certified GDPR Foundation and Practitioner Combination Course and save 15%.