What does GDPR mean for Tourism Operators?

As I’m sure many of you have heard, on May 25th of this year, the EU passed a new privacy law that will provide all EU citizens with more control over their personal data. This new law is called the General Data Protection Regulation (GDPR). In this post we break down exactly what the GDPR is, what it aims to achieve, how it needs to be implemented and what affect this has on tourism operators and specifically customers of Wherewolf.

What is GDPR?

This is a significant EU privacy law update that will provide European citizens with more rights to direct how their personal data is managed, specifically:

  • The right to be forgotten
  • The right to data portability
  • The right to object to profiling
  • The right to restrict or object to how data is processed

It is important to note that the GDPR regulates both how data is collected and stored/processed.  Any individual or organisation that captures or processes personal data of EU individuals, regardless of whether you or your organisation is present in the EU, needs to abide by this law.

In short…it’s about being transparent and enabling an individual to exercise choice and have control over their personal data.  On the Wherewolf platform this is about:

  • Users easily being able to understand what T&Cs they’re agreeing to,
  • Provide guests the ability to decide to opt in to mailing lists – or not,
  • Provide guests the ability to control their stored data such as to review, update or delete.

What is personal data?

Personal data is any form of information that can be used to identify and individual, such as name, email, address, telephone etc. So the typical information that you may gather for a booking, such as name, passport number, birth date, etc, this is all personal data.

Who is affected?

In short, pretty much all of us – if you have ever had a member of the EU book with you, and therefore collected personal information from such guests, this means you need to comply with GDPR.

Four simple-r ways to become GDPR compliant

  1. Gone are the days of long winded and confusing terms and conditions. Customers should be able to easily understand what they are opting in for… so you need to be transparent! Whilst you might collect an email address to send a booking confirmation or e-ticket, you must also collect specific consent again to then contact them in an email campaign.  Then, when you’re sending email campaigns, each guest needs to very easily be able to unsubscribe.
  2. Your customers have the right to access their own personal data, at any time, and easily request you erase it. 
  3. The data you collect needs to be in an easily transferable format, so that access requests can be handled quickly and easily. It also needs to be adequately protected – both from unauthorised access and from disasters such as a data-centre fire.  
  4. All services and tools that your business uses to collect, store and process guest data need to comply with the legislation. 

For 2-4 above, this means us, this means Mailchimp, this means any booking reservation site you may integrate with…everybody who stores, handles or process your clients data.

Not only does your business have to ensure the data is gathered legally, but also that those individuals, businesses or organisations who may collect it on your behalf and manage it, will be required to protect it from misuse and exploitation, or face penalties for not doing so. 

Wherewolf GDPR Compliance

As a Wherewolf customer, you have chosen us to be a data processor of your clients personal data. Good news is, we’re GDPR compliant and furthermore Wherewolf supports the principles of the GDPR ensuring all services comply with its provisions for all of our clients. Not only is the GDPR an important step in protecting the fundamental rights of privacy for European citizens, it also raises the bar for data protection, security and compliance in the industry. You can read more about Wherewolf’s implementation of GDPR here and the data process agreement here

To summarise…

If you have ever had a European citizen book on your trip the GDPR affects your company. But rather than looking at this as another painful process, choose to look at it as an opportunity to build a more trusting relationship with your guests. If the user clearly understands what you will be doing with their data they are more likely to provide you with it. Explain to them the benefits of sharing their data… that you can offer a more personable experience with your company.

Want to read more, here are some sites we found helpful:





If you have any concerns don’t hesitate to reach out to our customer support team.

Share this post

Share on facebook
Share on google
Share on twitter
Share on pinterest
Share on email