Stay safe with a cyber checklist for 2017
For visitors to your website, user experience can be the difference between converting a sale and losing the interest of a potential customer. Investing in the ‘front end’ of your website is clearly important in generating revenue and loyalty, whilst, crucially, the ‘back end’ system provides the foundation to your online presence, and protects business assets such as data and information security. With a New Year on the horizon, your focus is rightly on how best to exploit new technologies and applying innovative solutions to move the business forward – but do schedule time to check you have the foundations in place to remain compliant and secure.
The front end
Content must be legal and accurate. This is especially important in the travel sector where your selling status will infer different obligations – for example, are you acting as an agent or are you the principal tour operator? Recognising the difference is key as this dictates how you present information to your customers. Ensure you understand and comply with the Advertising Standards Authority guidance on holiday and travel services advertisements, as well as consumer rights legislation on how bookings can be taken online and how contracts might be made for purchase of holidays.
You’ll also need to ensure that the intellectual property rights in your website are secured and that you have correct licensing for other content used (e.g. pictures), to avoid infringing any third party rights.
Securing the back end
Every business is susceptible to cyber-attacks and data-breaches. Protecting against this risk is particularly important to the travel industry where your customer relationships are built on trust and brand profile. So, it’s extremely important that your back-office systems are robust.
If you use APIs or other data feeds from third party travel services providers (e.g. live availability or pricing, links), monitor and check that the connections are secure and that data flows allow for accurate information to be provided to the customer.
If your website allows for automatic document generation or email confirmations, you must also ensure that documents you are legally required to produce for taking payments is wired into the booking platform, to ensure compliance, e.g. producing ATOL Certificates to comply with the ATOL Regulations.
And, if you take payments through your website, you must ensure that you use a payment gateway provider that is PCI DSS compliant, so that the appropriate level of information security is attached to those payments.
It is likely you’ll be using third party suppliers in the provision of your website and back-office functionality – are you comfortable that they have relevant security measures in place to protect against cyber-attacks and loss of data. Check your contracts and ensure your get assurances of responsibility for data, security and service levels.
Data protection considerations
In May 2018, we will also be subject to the new General Data Protection Regulations. Although Brexit poses questions on how this will be adopted post EU membership, it is likely that the full impact of the regulations will proceed and therefore businesses need to understand the additional rights of data subjects and obligations to protect personal data.
You systems check
your IT infrastructure is secure and audit regularly.
website content is accurate and that you have rights in the content.
you own (or have appropriate licences) to use the content and framework of your website.
you have contracts with your third party providers for the support, maintenance and hosting of the website.
you have relevant consents from customers to process their personal data, especially if you transfer data outside the European Economic Area.
third party providers contractually agree to only access and use the back-office system for the purposes for which they are appointed.
you control access to your systems to avoid information security breaches and potential cyber security risks.
your IT infrastructure (including your front end website and back end booking systems) is ready to be compliant with the new General Data Protection Regulations.
Published: 16 Dec 2016