GDPR and the local travel industry

Sri Lanka Association of Inbound Tour Operators (SLAITO) in collaboration with SecurMatic.com organised a GDPR awareness summit to all its members and the hotel community (THASL) on 11 July at the Lakshman Kadirgamar Institute in Colombo. 

This summit is part of the ongoing exercise undertaken by SLAITO to educate the local industry on the new European General Data Protection Regulation that came into effect on 25 May. 

With over 35% of inbound travellers originating from the EU, Sri Lankan tour operators and hotel operators should follow this data protection regulation,” said SLAITO Chairman Haritha Perera. He emphasised that since this is something new to the industry, it will be a long and tedious journey for operators to be compliant due to the existing business practices, but said, it is essential we follow the guidelines for the future of the industry and that we immediately start the process to be compliant.

The guest speakers included Ranjika Manamperi – CEO of SecurMatic.com, a Cyber Security company specialising in cyber risk management and GDPR compliance solutions to the travel industry, presented GDPR implementation guidelines covering the local tour and hotel operators. Ranjika spoke to the applicability of GDPR to the Sri Lanka travel industry. If your organisation directly or indirectly markets travel services to EU based travellers and or if your organisation is part of EU based company and or if you carry out DMC services on behalf of a travel company that targets EU based travellers, your company will come under GDPR scope, she said. 

Ranjika also stressed that implementing GDPR includes changes and improvements to operational processes, supplier relationships, technology and staff awareness. “GDPR is an ongoing process in your organisation. It requires a cultural shift in handling personal data and data security,” she said. Ranjika also emphasised to local companies to pay attention to the data protection and liability clauses incorporated in vendor and B2B agreements. 

Samantha Simms, an information law attorney from UK, who is the founder of The Information Collective, spoke about the need to protect customers’ personal information and the impact to Organisations when a data breach does occur. Due to the myriad number of partners involved in providing travel solutions it can be challenging to control what happens to customers’ information when it’s transferred onwards. She stressed that under GDPR your accountability to protect that information doesn’t end after the information is transferred but you have an accountability to ensure that your partners handle the same information securely and notify you in the event of a data breach. She also raised the need to simplify privacy and data protection to enable global organisations to turn legal compliance such as GDPR into commercial opportunities. 

Following the presentations, there was a panel discussion moderated by Dayan Gunasekera comprising industry experts namely Sanjeewa Anthony (THASL), Upali Rathnayake (Sri Lanka Tourist Board) Harith Perera (SLAITO), Hasitha Gamage (Sudath Perera law firm), Ranjika Manamperi (SecurMatic) and Samantha Simms (Information Collective). SLAITO and THASL members posed many questions and clarifications pertaining to GDPR on a macro and micro level.