The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way organizations across the region approach data privacy. (Source: www.eugdpr.org)

GDPR will be officially enforced on 25th May 2018 – from this date any organisations that are not complying with the new legislation will be hit with heavy fines of up to 4% of annual global turnover or €20 million (whichever is greater).

The new legislation is significant in that it incurs an extended jurisdiction including all data processing of personal data of residents of the union, regardless of the company’s location. Any grey area or ambiguity around location that previously existed, has been eradicated under the GDPR.

The conditions for consent to access or use private data now include transparent and easily accessible forms with a clear option to withdraw consent at any time.


  • Breach notification – it will become mandatory for clients to notify subjects of a data breach within 72 hours since first becoming aware of the breach
  • Right to access – subjects will have to right to request details of what personal data is being held and how it is being used
  • Right to be forgotten – or ‘data erasure’ including the removal of personal data and potentially halting access from third parties
  • Data portability – subjects will have the right to request their personal data and pass it on to another controller
  • Privacy by design – systems will be built in a way that ensures controllers are holding only essential data (‘data minimisation’)
  • Data protection officers – will be appointed for those companies monitoring data on a large scale or for special categories of data relating to criminal convictions and offences


Statistics show that just under half (46%) of all UK businesses identified at least one cyber security breach or attack in the last 12 months. As such, it is important that all businesses take responsibility and have processes in place to effectively minimise any disruption caused. (Source: Government report) As a basic guide, you will need to:

  1. Familiarise yourself with the GDPR readiness guide, a 12 step plan produced by the ICO, Information Commissioner’s Office (Click Here)
  2. Use this framework to identify any problem areas and work with a third party external auditor to perform an unbiased gap analysis
  3. Lay out a remediation plan to ‘fill in the gaps’
  4. Schedule in a re-audit against the ICO’s Data protection self-assessment toolkit
  5. Receive a rating for your readiness


GDPR will affect all industries and businesses working within the European Union. Travel, by its very nature, has been built around personalisation and knowing what travellers want and remembering their preferences.

As an industry, we will need to find ways to still provide that customised experience without the need to store personal data and put client data at risk. There is a responsibility from all parties to ensure they are 100% compliant as we work together to safeguard against potentially damaging threats.


It is important to understand that whilst there is a lot of industry hype around the impact of the GDPR roll out and it is quickly becoming a buzz word around business travel events, most of the elements addressed in the GDPR should already be part of your TMC’s commitment to safeguarding your data.

It is also advised not to ignore GDPR as this will impact the UK regardless of what happens with Brexit plans as it looks to become a global initiative.


Hillgate Travel is and will be GDPR ready. We welcome GDPR and see it as a continuation and addition to our initiatives already in place ensuring optimum compliance and security for our information systems. We started the GDPR readiness progress in January 2017, so far we have a ‘good rating’ and we have a re-audit scheduled for October. These initiatives are also further enforced by our ongoing security accreditations:

  • ICO registered (Z1602111)
  • PCI-DSS certified
  • ISO 27001:2013 certified

Hillgate Travel takes data and data security very seriously and will continue to invest and improve as regulation and technology evolves. If you have any questions around GDPR, please contact your Account Manager.