The arrival of a tour group from Europe brings hope to a rural community which thrives on tourism, showcasing its cultural heritage. A party of 50 marking an important life milestone with lunchtime celebrations makes light work for the chefs in the kitchen. The engaging tour guide refreshes his knowledge for an international safari group hoping to capture the elusive leopards on the morning tours. All across the continent tourism stakeholders, whether restauranters’ or cafes owners, tour operators or travel agencies, hoteliers or transportation providers aim to provide a unique experience for their clientele.
As we continue to embrace the digital age, familiarity with the provisions of digital laws to ensure compliance must be implemented across all stakeholders. Understandably when conceptualizing a tourism enterprise, the last component for most establishments is information technology, data protection and digital laws. The laws applicable to data protection are continuously evolving, and the speed of this evolution would place any small or medium enterprise into a tailspin.
The responsibilities of ensuring compliance rests on the establishments and it is crucially important that the protection in data and storage of information is appropriately handled.
The ramifications on failures to respect the integrity of online transactions, digital marketing, data protection and handling of private and personal information, could have dire consequences for any enterprise. No matter the jurisdiction of the company, it is increasingly necessary to ensure that the fundamentals of data protection are adhered to.
Tourism businesses operating with portals for online bookings and virtual experiences must invest in robust cybersecurity measures to prevent data breaches. Accordingly, the gold standard globally; the EU General Data Protection Regulation (GDPR) sets out fundamental principles for compliance – fairness, lawfulness, & transparent processing. All enterprises must ensure that documentation is completed with legitimate interest and appropriate consents. Notification on data collection, and incorporation of notices in respect of privacy.
Purpose Limitation: Business must ensure that they limit the collection of personal data, minimizing the collected information, and appropriate destruction of data where no longer required.
Data accuracy, confidentiality, integrity and minimization: Where the businesses require collection of personal data, the company has a duty to ensure accuracy in respect thereof, as well as to maintain secure systems providing adequate confidentiality of the information collected, and security in retention of the information collated.
Data protection officer: Appointment of a data protection officer to ensure appropriate organizational measures and securing of personal data and record keeping, and processes according to the standards implemented by the GDPR.
Data breaching processing & reporting: Implementation of appropriate protocols and administrative processes, where data held is disclosed accidentally, or unlawful authorized, notification (within 72 hours) to the relevant authorities.
The route to gaining valuable insights and implementation of the correct tools, begins with understanding where the business is positioned, the amount of data collected from clients. Familiarization with international regulations, will place the company at an advantage when transacting with international customers, this will be true for entities operating in the tourism space.
Where in-country and jurisdictional laws have not yet been fully developed, adherence to minimum standards, compliance with GDPR at a bare minimum will be necessitated. Failures for compliance may result in penalties for data breaches including sanctions, suspensions of activities, fines of up to 10 million Euros or 2% of the company’s global annual turnover.
As countries align Data Protections Regulations, the Companies and enterprises must ensure that they are aware of their local legislation, the jurisdiction of which their customers emanate from and the requirements to protect the client’s data. They must ensure that adequate measures are implemented and correct protocols developed to maintain compliance.
By Safiyya Akoojee B.A, LLB, LLM Director Fortunatus Advisory LLC. United Arab Emirates Director Thomson Wilks Inc. South Africa
This article was first published in the March 032 Issue of VoyagesAfriq Travel Magazine.
