How GDPR can empower travel, transport & hospitality firms

• Larger companies must appoint a Data Protection Officer to oversee compliance
• Customers must know how firms use their data - and they must explicitly agree to it

INSTEAD of fearing GDPR, travel, transport & hospitality companies should embrace this opportune moment to fine-tune their data foundations, place the customer first and safeguard their bottom line.

Over the last thirty years, the Internet has been the biggest disruptor to the travel, transport and hospitality industry. From apps, aggregators and Airbnb to review sites and price-comparison tools – travel's digital migration is almost complete.

Last year, global online travel sales totalled US$564.87 billion (RM2.2 trillion). By 2019, we're looking at US$755.94 billion (RM2.9 trillion). Digital travel sales in Asia-Pacific is set to grow by 22.5% in 2017 to reach US$214.07 billion (RM837.9 billion), ranking first in the world. Today, about 30% of travellers in Singapore book trips online.

But travel, transport and hospitality is more than bookings and revenue - it's a world within a world. Expedia found that most travellers visit 38 websites before tapping in card details, while HuffPost believes 95% of US travellers read seven reviews before purchasing a trip.

The digital transformation of the travel industry is more than enabling travellers to research and book transport and hospitality online via a range of devices, however.

Each time a user browses, clicks, likes, shares, watches or reads they leave a data trail. And that data has become the lifeblood of the digital industry.

In 2015, the travel, transport and hospitality industry pumped more cash into online advertising than the electronics, media, entertainment and healthcare sectors.

Travel is one of the biggest spenders in programmatic advertising, particularly video, and social media retargeting.

This is why the coming of GDPR on May 25, 2018, redefining the parameters of consumer trust and privacy, represents the next great disruption to the travel, transport and hospitality industry.

A quick word on GDPR

GDPR is not just a beefing up of existing privacy frameworks - it's a complete paradigm shift, asserting that personal data belongs to the individual.

So, from May 25, 2018, organisations must be crystal clear when it comes to personal data and special category data: proving consent was given and explaining what data is being used for; how it's protected, and how long it'll be kept.

Non-compliance starts with a warning, but fines quickly escalate to US$24 million [RM93.95 million] (or 4% of the previous year’s turnover – whichever is greater). Alarming as the penalties are, they may be a drop in the ocean when compared to reputational damage and the loss of customer trust.

Take the recent example of Uber - who decided to cover up the theft of 57 million people’s personal data. If it were done in the GDPR era, this data leak would have resulted in a fine of US$260 million (RM1.02 billion) – or 4% of the company’s global revenue, which was US$6.5 billion (RM25.4 billion) in 2016 - this would be significantly higher than the maximum penalties currently in effect (this is GBP500,000 [RM2.7 million] in UK). Even without this massive GDPR fine, Uber still had to face a massive negative reputational impact as the story made the headlines across the globe. 

Although there is no scientific data on GDPR readiness of travel companies, anecdotal evidence suggests that just 8% of companies are prepared, despite intervention and guidance by industry bodies. The industry is not unique. Other industries are also still finding their feet when it comes to GDPR.

According to the latest Veritas study on GDPR, more than half of organisations in Singapore (56%) are concerned that they will not be able to meet the new EU requirements, and only 18% feel they are already GDPR-compliant.

But it is encouraging to note that 95% of the organisations in Singapore plan to drive behavioural changes through training, rewards and contracts to help ensure that they comply with GDPR policies.

Next page: Biggest disruptor and an opportunity