GDPR Checklist for Tour and Activity Companies


You are no doubt familiar with The General Data Protection Regulation (GDPR) as a tour operator. In this post, we’ll take a quick look at the changes coming with GDPR, how it affects your business as a leisure provider, and what steps you need to take to be in compliance. In addition, we will provide you with a detailed GDPR checklist.

Ready? Let’s go.

What is GDPR?

learn all about the GDPR checklist

GDPR is a regulation that requires EU businesses to protect and safeguard the personal data and privacy of EU citizens. Any business that doesn’t comply with the regulation could face severe consequences.

The practice of collecting personal information online began in the 1990s, and since then, the amount of digital information we capture and store has increased exponentially. As a result, the old regime is no longer adequate, hence the General Data Protection Regulation (GDPR).

The stated purpose of the GDPR is “to ‘harmonise’ data privacy laws across Europe as well as give greater protection and rights to individuals.” The GDPR is needed because of increasing public concern over privacy. Europe, in particular, has stricter rules about how companies handle and use personal data of consumers. It comes on the heels of several large-scale data breaches over the past year that involved personal details for millions of LinkedIn, Yahoo, and MySpace accounts. The aim is to provide rights for people to access their business-held information, set up tighter requirements concerning businesses’ data management, and implement a new system of fines.

Ultimately, the goal is to hold companies to a higher standard of accountability with respect to handling personal information.

The EU parliament approved the GDPR in April 2016 to replace an archaic data protection decree from 1995 (the Data Protection Directive). In addition to requiring businesses to protect EU consumer personal data, it also standardizes the exportation of personal data outside the EU. The GDPR requirements are standard across all 28 EU member states; the standard is quite high and will entail a large investment by most companies to meet and administer the requirement.


What you should know about GDPR and how it will affect your business

Here is what every tour operator that does business in the EU needs to know about GDPR.

Tour operators that collect any data of EU citizens need to comply with strict new rules regarding protecting customer data by May 25, 2018. GDPR is expected to set a new standard for customer rights in regards to their data. But businesses, like yours, may be challenged as they put new systems and process in place to be in compliance. Security teams will be faced with new concerns and expectations. For example, the GDPR’s view of what establishes personally identifiable information is arguably quite vague. Businesses will need to install the same level of protection like a web visitor’s IP address or cookie data as they do for names, addresses, and social security numbers.

The GDPR certainly leaves a lot to interpretation. It states that businesses must deliver a “reasonable” level of protection for personal data but does not really define what it institutes as “reasonable.” This gives the governing body a lot of margin when it comes to evaluating fines for non-compliance.

To make things easier, we have provided you with a checklist to run through and ensure that you are in compliance.


GDPR Checklist

Here you can find a detailed GDPR checklist

Complying with GDPR isn’t just a way to avoid fines and legal troubles. According to a survey by Varonis Systems, 74 percent of businesses surveyed believe that GDPR compliance will be a competitive advantage because it will boost customer confidence. So you can follow the below GDPR checklist and improve your business in addition to getting some peace of mind.

But first, let’s look at some background information you need to know about the type of data you need to protect and who should be responsible for it.

The types of privacy data your tour operation needs to protect:

  • Basic identity information like name, address and ID number
  • Web data: location, IP address, RFID tags and cookie data
  • Biometric data
  • Race and ethnicity data
  • Genetic and health data
  • Political affiliation and opinions
  • Sexual orientation


Employees in your business that need to comply:

  • Data controller
  • Data processor
  • And a Data protection officer (DPO)

Those people need to ensure that outside contractors also comply. The data processors are the people the GDPR holds responsible for any data breaches. If you are non-compliant, then your company and processing partner (i.e. your cloud provider) will both be liable for penalties.

And now, on to the GDPR checklist for tour and activity companies.

  • Make sure you prioritize GDPR during the next weeks – you want to be prepared under all circumstances
  • Involve everyone in your company – until the 25th of May this topic should stay on top of your list
  • Get a DPO. The GDPR requires you to have to a DPO to ensure that the person is responsible for following all their rules. They do not need to be hired on a full-time basis; they could be contracted or even be someone in your company who has a similar role.
  • Carry out a risk assessment. You already know what data you store and use on EU citizens so you know the risks around it. So you should outline measures to mitigate risk. A way you can do this is to uncover all shadow IT that might be collecting and storing customer information. There are numerous applications that hold personal data so find them all and implement any measures you need to in order to be in compliance.
  • That being said, have measures in place to mitigate risk. Once you have identified the risks and how to mitigate them, your next step should be to put those measures in place. Perhaps, like most businesses, you need to revise existing mitigation measures.
  • Ensure that company mobile phones are in compliance. Your employees may have downloaded many apps on their work phones that collect personal data from their devices. That creates many risks for GDPR non-compliance. So you will need to review work phones and make sure your employees are not using any unauthorized apps.
  • Ensure that you obtain customer consent in all instances where you are collecting and storing their personal data. That means that you need to state and explain what you intend to do with customer data and how long you intend to keep it for on your sign-up forms, opt-in boxes, check out processes and any other ways in which you collect customers’ personal data. Regiondo helps you to obtain customer consent!
  • Have a data protection plan. If you already have one in place, review and update it to make sure it is in compliance with GDPR requirements.
  • Create a plan to report the compliance progress. According to article 30 of the GDPR regulation, the Record of Processing Activities (RoPA), you need to take inventory of risky applications to avoid becoming a victim of regulators.
  • Ask for help if you need it. Especially if you run a small tour business. All tour operators will be impacted, regardless of size. Hire technical experts to help you if need be.
  • Test incidence responses. The GDPR necessitates that all companies report breaches within 72 hours. So you should test how fast your response teams can respond to breaches.
  • Assess constantly. You should set up a process to assess on an ongoing basis. That means that you should be monitoring and improving your GDPR compliance processes on a routine basis.


Wrapping Up

The GDPR is a new regulation that affects all companies that do business in and with the European Union. It is critical to be in compliance with the GDPR in order to avoid hefty fines and penalties. To do this, study our GDPR checklist thoroughly so you can improve your business and get more peace of mind at the same time.

Recommended for you: Pricing Discrimination in the EU and How It Affects Tour Operators

About Robert Fink
All posts by Robert Fink

1 Comment

Comments are closed.