The deadline for compliance with the European Union’s (EU) General Data Protection Regulation (GDPR) is just around the corner, and even if you’re a U.S.-based DMO, the privacy law WILL apply to you. Since you’re most likely collecting personal data in your CRM and CMS from customers or contacts in the EU, it is important to educate yourself and your team on GDPR requirements, and to review and adjust your policies and processes as needed to make sure you’re lawfully handling the data.

Don’t Get Scared, Get Prepared

It can be easy to feel intimidated or overwhelmed by the requirements of this new regulation, so we’d like to help you ease into what you need to know with this blog: build your awareness of the regulation, give you some key points to keep in mind, and some questions to start you off on reviewing your policies and processes for compliance. At the end of this blog, we’ll provide some further resources for you.

What GDPR Means to Destionation Organizations

The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the European Council, and the European Commission intend to strengthen and unify data protection for individuals within the European Union (EU).

This means if you have any customers or contacts in the EU—and as a destination marketing organization, you probably do—how you gather information for marketing communications and how you use that information will need to be addressed and adjusted to be in compliance with GDPR. You need to ensure you’re in compliance by the stated deadline of May 25, 2018. If you’re not, you could face some hefty fines. But don’t get scared, get prepared. 

Key Points for Destination Organizations to Keep in Mind 

• Consent for data collection and storage: For any data you collect on an individual residing in the EU, you must have consent to collect that data and store it, and you must be able to prove that consent. Consent must be active—affirmative action by the data subject,  i.e “opting in”—not passive, i.e. acceptance through pre-ticked boxes or opt-outs. You must clearly state your purpose for collecting the information, meaning how it will specifically be used. Ask yourself: Can we describe data-collection practices as transparent?
   
• Privacy by default: Only collect the information you need to complete the designated transaction, and limit access to personal data (meaning any information relating to a directly or indirectly identified or identifiable natural person ‘data subject’) to those necessary to complete the processing. Ask yourself: Have we checked to make sure that all the information we collect is relevant, and not excessive, for our specified purpose? Do we have a privacy policy in place?
   
• Individual rights to data review, portability, and erasure: An EU resident can request to review and even have you delete/erase their data. You need to be able to show the data you’ve collected on an individual to that individual upon request (free of charge), within thirty days of the request, and if he or she wants their data deleted, you must be able to do this within a reasonable amount of time. A data controller must communicate to other organisations the need to delete copies of this data and links to those copies. Ask yourself: Are there clear, documented procedures in place for dealing with such requests?
   
• Data controllers AND processors are held responsible: A controller is defined as the person, public authority, or agency who determines the purposes and means of the processing of personal data. In our world, DMOs or marketing agencies can be considered controllers. A processor is a person, public authority, or agency which processes personal data on behalf of the controller. Simpleview, for example, can be a data processor. Unlike under the previous directive, both controllers of data AND processors of data are held accountable by GDPR, and there are fines for non-compliance, starting May 25, 2018. Be sure you’re in compliance, and review that your partners are compliant as well.
   
• No data is grandfathered in: You must be able to show consent for any data you currently have on EU individuals, even date collected prior to the GDPR deadline. If you can’t, you need to request consent before the deadline, or delete the information. DO NOT send communication out to previously unsubscribed emails. Ask yourself: For current customers, can we demonstrate an existing customer relationship? For email subscribers, do we have records that demonstrate consent? 
   
• Timely breach notifications: GDPR makes it compulsory to notify both users and data protection authorities within 72 hours of discovering a security breach. In some cases, affected individuals need to be notified, as well. Ask yourself: Are my current systems set up to identify a breach? Do we have a data security and data breach policy?
   
• Non-compliance fines: Companies can be fined up to €20MM, 23MM (usd) or 4% of their global annual turnover of the preceding financial year (whichever is higher). Other consequences could include personal damage claims, a damaged reputation, and loss of business to compliant competitors. So, there is pretty much no question that GDPR compliance is not only to the benefit of your EU customers and contacts, but also to your organisation. Your customers, no matter where they reside, want to know they can trust you with their business and their personal information. Show them that they can.

More reasons the Work is Worth it

While putting in the work to ensure compliance with this new regulation may seem taxing right now, keep in mind that the steps you take to be in compliance, and to maintain compliance for your EU customers, are beneficial to your DMO as a whole, as well. At Simpleview, we stress the importance of clean data to a highly efficient CRM and CMS. We promote marketing to your visitors with content relevant to them, to increase the likelihood of engagement and conversion. We encourage working with and trusting your partners and members through the use of integrated technology and services. All of these best practices can only be strengthened by cleaning up your data by ensuring the individuals you are marketing to consented to receive information from you, and that both parties, you and the customer, are clear on what you’ll be marketing—that it will be relevant. Additionally, having policies and processes in place will document and illustrate trust and minimize misunderstandings, as will being aware that your partners are putting in the work to show they know trust is important, too.

Additional Guidance/Resources

Visit Simpleview’s GDPR landing page for more resources on compliance, including a GDPR Readiness Assessment, FAQs, and more.

Please note this blog and its content, as well as the additional guidance/resource documents, are not exhaustive resources on GDPR policy and they should not be relied on as legal advice. Because legal information is not the same as legal advice – the application of law to one’s specific circumstances, we recommend consulting a lawyer if you need legal advice on how to interpret the legislation. This content is information for awareness purposes and to inspire you to review your current policies and practices.

About Eric Rankin:

As VP of Product Development, Eric oversees all components of software product management, from identifying market needs to translating them into specific features for the team to build. Eric is a key player in analyzing intelligence and developing product strategies and roadmaps for the future.