Data privacy laws for tour operators

Digital security is the buzzword on everyone’s mind at the moment…it’s impacting virtually every business on the planet, and the travel industry is certainly not exempt. In our last blog on website security, we talked about the ways in which your tour operator business could benefit from increased data security awareness. We explored the positive impacts website security can have on your brand, your search engine ranking in Google, and even your customer acquisition. 

In this blog, we are taking a deep dive into the legal side of data security. Legislation and digital security aren’t the most riveting subjects; but as a travel business owner, they are two of the most important topics that you ought to be paying attention to right now and in the years to follow. right now and the years to follow. 

Consider the role that the internet plays in our daily lives: Our banking, our shopping, our communication, our work and even our travel, takes place or is facilitated through the internet. This is a far cry from what it looked like 30 years ago, everything has changed so rapidly and lawmakers are only just catching up in terms of writing legislation that will ensure the data and people’s privacy is protected online. As a business owner in an industry abundant with digital information, this legislation is most certainly going to impact your business practices.

As a consequence of the Cambridge Analytica data scandal, the discussion surrounding digital echo chambers, and the political consequences of targeted online advertising, the world has become acutely aware of data security. This dramatic shift is changing the face of marketing; acquiring new customers is no longer as simple as sending an email blast to thousands of unconsenting email addresses, or targetting visitors to your website with advertisements on social media. Consumers are now more in control, with legislation now requiring, explicit documented consent to receive marketing.  

The most significant to date is, GDPR; a piece of legislation that restricts the way in which personally identifiable data of European Union (EU) citizens (in Europe, and abroad) can be gathered, stored and used. This affects businesses operating both inside and outside of the European Union, as it applies to citizens regardless of where in the world, they (or their data) may be. In essence, this means that although you may not be a tour operator business in Europe, it is highly probable that you have or will service a citizen of the EU.  Legislation this powerful and far-reaching is unprecedented. Since its release in May 2018, an increasing number of countries are working on passing similar laws that work to protect their citizens in a similar or equal manner to the precedent set by GDPR.  

The main principle of GDPR and other similar laws is to ensure that any personally identifiable data that a company has, is stored, used and collected in a specific way, with informed consent being at the forefront. The legislation is long and complicated, but here are the main key points: 

  • Personally identifiable data is anything that can be used to directly or indirectly identify a particular person. This could include anything from names and emails to IP addresses and employers etc. 
  • You will need to gain explicit, informed consent to store and use any data you gather. This cannot be in a passive consent form, ie. a tick box that you need to untick to opt-out, instead they must knowingly opt-in
  • Everyone has the right to access their data or request that their data be permanently deleted. 
  • The data that you store must be easily transferable and transportable. 
  • The tools that you use to process your data must also adhere to GDPR regulations. 
  • Failure to comply with these regulations could result in a maximum fine of 4% of global annual turnover, or €20 million, whichever is higher. 

If you are thinking, “but data protection legislation won’t affect my tour operator business”, then we have news for you! Even if you have no customers or potential customers who are EU citizens, other countries are adopting similar legislation changes in response. This article outlines what is to come in terms of data protection laws, and it seems that tighter laws are set to be the new norm. 

As a tour operator business communicating with customers on a daily basis, your business will be affected by data protection changes. Although storing data may sound technical, it really isn’t. Even something as mundane as having an Excel spreadsheet or a CRM with all of your customers’ contact details is exactly the type of practice GDPR and similar laws aim to regulate. 

You may already use secure systems that are compliant with all regulations, in which case, you are already meeting your obligations. On the other hand, you may have been blissfully unaware of these laws and the associated repercussions of being non-compliant. If the latter sounds like you, it is highly likely that your business will need to make some immediate changes. 

The new age of data protection regulation will affect your tour operator business in three main ways: 

Data storage 

To put it simply, using Word and Excel to create itineraries and store customers data, just doesn’t cut it any more. These tools aren’t encrypted, which fails to meet the basic GDPR principle of secure data processing. Any personally identifiable information that you store should be in a secure CRM (customer relationship management) or better yet, in your companies tour operator software. Tourwriter, for example, is GDPR compliant across its suite of tour operator solutions.


How do you gather contact information for your potential customers? Do they provide their information to you via a digital contact form? Or perhaps you use social media remarketing to advertise to them? Data protection regulations mean that, if you haven’t already, you need to adapt your sign-up processes. If you have a sign-up form on your website you will need to add a disclaimer to ensure you gain informed consent to store and use the data that they give you. If you are using remarketing methods, you’ll need to add a cookie banner to your website, giving website visitors the ability to opt-in i.e. allowing your digital footprint to be collected  It’s also important to ensure you are keeping a record of your leads and customers consent; both how it was given, and when. Whatever your processes are, it’s important that you make sure they are secure, consent driven, and consistent. 


Above all, the most important step towards making your tour operator business secure and GDPR compliant is being transparent and open with your customers and potential customers regarding their data and what you are doing with it. This could mean anything from adding a privacy policy to your website, or simply being upfront and open if any of your customers have queries. This will also go a long way towards showing your customers that you are a trustworthy and considerate company.

Rest assured, it’s not all administration and rule-following; there are also some notable benefits to be gained from adopting a more proactive approach to data security.  

It will help your brand

As a tour operator, competing with countless other companies for the same customers, it’s imperative to maintain a strong, likeable and credible brand. Consumers are more security conscious than ever; according to a recent PWC survey, 90% of consumers agree that companies should be proactive about data protection and 60% think that the responsibility of protecting data lies with the company collecting it. Be the type of tour operator business that vigorously protects your customer’s data while maintaining and respecting individual privacy. That care and consideration will undoubtedly reflect on your prospective customer’s view of the sort of tour operator you are. 

Data protection laws are inevitable. 

Even if your company isn’t affected by GDPR or other data security laws just yet, there’s no doubt that it will be in the future. Setting up processes now rather than later will save your time and help you avoid unnecessary warnings or fines in the long run. It’s really a win-win for everyone involved. 


We’ve all heard the phrase ‘leading by example’ and in this instance, making sure that your processes are secure will do just that. Most aspects of our lives take place online, and don’t we want that place to be secure? Leading by example and making sure that the security of your customers is forefront in your mind, is one more step towards a safer, more secure web for everyone! 

Resources for tour operators

About the specifics of GDPR

About how Tourwriter has adapted its business to account for GDPR 

Why using Excel to create itineraries is harming your business

Learn about GDPR in more detail

How does the travel industry actually work?

How does the travel industry actually work?

Who are the key players in the industry, where do they all fit together and how does the industry actually work?! There’s no doubt that the travel industry is a confusing space to wrap your head around so we’ve broken it down for you in this easy new resource.

Tourism news websites you can trust

Tourism news websites you can trust

In the tourism industry it can be hard to differentiate the reliable travel news sources from the not-so-trustworthy ones. In this blog we summarise the top travel news websites that tour operators, travel agencies and DMC’s should pay attention to.

How to set your team up for success when introducing new software

How to set your team up for success when introducing new software

Making changes happen is hard. Especially when it is something that will create a significant impact on the way you work, like new software. We discover what change management is and how it can assist you, your leaders and your team in creating new processes that will make you more successful in the long run. Is it time for a change?