GDPR Readiness Statement
What is GDPR?
The General Data Protection Regulation is a European data standard intended to strengthen and unify data protection for all individuals in the European Union. GDPR gives individuals greater control over their personal data. The new regulation comes into effect on 25th May 2018 and will replace the old 1995 Data Protection Regulations. The governments of Guernsey, Jersey and Isle of Man are implementing their own laws to bring their jurisdictions’ adequacy status in line with the GDPR.
What is a Readiness Statement?
Our Readiness Statement outlines the measures our organisation has taken, and plans to take, to achieve compliance. Our business aims to be GDPR compliant by 25th May 2018.
What does this mean for our customers?
Under GDPR individuals have:
- The right to access – you can request your personal data and ask how that data is used by us. We can provide copies of this data, free of charge, in electronic format.
- The right to erasure (‘right to be forgotten’) – if you are no longer a customer, or if you withdraw consent from us to use your personal data, you have the right to request to have your data deleted, where there is no compelling reason for its continued processing.
- The right to data portability – you can transfer your data from one service provider (e.g. our company) to another in an electronic, readable format.
- The right to have information corrected – you can have your data updated if it is out of date, incomplete or incorrect.
- The right to restrict processing –you can request that your data is not used for processing,however processing is required for any active travel bookings you may have. Your data record can remain in place, but not be used.
- The right to object – you have the right to stop the processing of data for direct marketing. We ensure all our customers are given the option to opt-out of any email or direct marketing campaigns. Please contact firstname.lastname@example.org if you wish to opt-out of all direct marketing.
- The right to be notified – if there has been a data breach which compromises an individual’s personal data, we will inform the relevant data commissioner within 72 hours of becoming aware. We will inform individuals if the data breach poses a high risk to their rights and freedoms.
Types of personal data we may process:
- Passport details
- Date of birth (adults and children)
- Postal address
- Email address
- Telephone numbers
- Personal preferences / travel choices
- Financial and payment information
- Medical conditions
- Current and former employee details
The Online Regional Travel Group comprises a number of entities:
- Bellingham Travel
- Mann Link Travel
- Richmond Travel
- Wayfarers World Travel
Together we are working with GDPR specialists in the travel sector and industry associations to create a practical, risk-based approach to GDPR compliance. This involves the development and distribution of new policies, procedures and standards in our business. We aim to create a culture of awareness amongst our internal stakeholders and employees with continuous improvement around data privacy and protection for our customers.
We work on the principle of being the “temporary and trusted custodian of our customers’ data”. We are creating a privacy framework and developing new working practices to ensure responsible compliance. These foundation elements are currently being integrated into our management systems and mapped to our customers’ requirements.
We undertake the necessary and ongoing responsibility for personal data held on behalf of our customers, suppliers, partners, employees and any otherdata subjects that come under our care.
Our commitment to GDPR
- Protecting our customers’ data is a core part of our business strategy and procedures.
- We know what data is being held, where, when and why. This is continuously reviewed.
- We acknowledge and proactively manage the risks and responsibilities when transferring data to third parties.
- We only use the data for the purposes that we have consent for.
- We do not collect any data which is not necessary to fulfil its legal obligations. We do not collect data for general or unspecified use.
- We only retain data for as long as it is necessary.
GDPR Project activity
We are undertaking a wide range of tasks to ensure our business is GDPR compliant including:-
- Setting up an internal working committee of individual specialists in finance, travel administration, Information Technology, data privacy and marketing and appointing a senior staff member with responsibility for GDPR.
- Creating a GDPR committee which meets regularly to scope the GDPR project tasks and track these to work towards compliance by the 25th May 2018 deadline.
- Attending specific travel industry GDPR workshops, conferences and training sessions.
- Engaging with GDPR consultants within the travel industry.
- Mapping all data touchpoints in the business to track GDPR compliance.
- Revisinginternal frameworks and working procedures.
- Reviewing all IT systems, including email platforms, to identify any changes necessary and making changes / liaising with system providers accordingly.
- Ensuring all marketing forms enable opt-in consent.
- Cleaning our email marketing database to remove any customers who have not opened the fiveprevious email campaigns (“emotional unsubscribe”).
- Issuing GDPR supplier questionnaires to our third-party suppliers.
- Providing guidebooks and training for all our employees on GDPR.
For any further information or if you have any questions about how your data is managed by us, please contact our Head Office at .