A new set of requirements for data protection and privacy are fully enforced starting May 25. No matter where your destination is, this law could affect you, because the internet knows no borders.
The European Union (E.U.) created the General Data Protection Regulation (GDPR) to reset how personal data and, ultimately, personal privacy are managed. The law’s requirements push organizations to be ethical stewards of personal data and back that up with steep fines for infractions (up to 4% of annual global turnover or €20 million, whichever is more). The law covers:
- All companies offering paid or free goods/services to or monitoring the behavior of any person residing in an E.U. country, regardless of the company’s location.
- All companies holding and processing personal data of any person residing in an E.U. country, regardless of the company’s location.
Many destinations attract visitors from Europe, and online interactions with destination marketing organizations (DMOs) are usually open to anyone in the world. This means that many DMOs interact with E.U. residents and need to comply with GDPR to continue business as usual. GDPR covers all personal data, including employee data in E.U. countries, but this article looks at the impact of GDPR on consumer marketing activities.
The new law affects how you collect and use personal data for marketing
For a DMO, the most common activity affected by GDPR is database marketing. If your DMO’s website has a form to subscribe to an email newsletter, to request a guide or to ask a question, your DMO possesses personal data that is stored and processed for on-going communication.
Depending on the sophistication of your digital marketing, your DMO may be using personal data for other marketing or sales activities that rely on monitoring and tracking behavior (re-targeting ads, personalized web content, site analytics, etc.). That makes your DMO a data controller. You determine what consumer data is collected and how it is used. That consumer data is stored and used in applications, like email marketing systems.
The vendors who provide those applications are the data processors. They run the systems that put the consumer data to work for you.
The GDPR provides one set of requirements for data controllers and another for data processors. If you have personal data of E.U. residents in your consumer databases or other marketing systems, you need to meet GDPR requirements for them. Your DMO needs to follow data controller requirements, and you need to make sure each of your vendors follows data processor requirements.
What is personal data?
The GDPR defines personal data as any information related to a natural person that can be used to directly or indirectly identify that person. It can be anything from a name, a photo, an email address, credit card or bank details, posts on social networking websites, medical information, or a computer IP address.
Considerations for your DMO (the data controller)
GDPR is a law with complexities and nuances that deserve proper legal review, especially if your DMO has sophisticated personal data use with E.U. residents or sells directly to E.U. residents. This article is not legal advice. This is a general guide to some key requirements that most DMOs should consider:
- You should collect personal data only when it has a valid business purpose. For example, do not offer a form to gather subscriptions for an email newsletter before you are actually producing the newsletter. If you offer to answer questions submitted to your DMO with personal data attached, be sure someone in the team is actively and regularly responding.
- Whenever you collect personal data from an E.U. resident, consent must be freely given by that person through a statement or a clear affirmative action. A person’s silence or lack of action is not a form of consent, so you cannot interpret consent from options like “if you do not reply, then we will continue to email you” or someone submitting a form with a pre-ticked box (not unchecking it). The recommended approaches are having a person writing an email to send consent or actively checking a box next to a statement that says in plain language that checking the box equals consent to your DMO’s personal data policy. The personal data policy must be written in plain language, be specific and be immediately available.
- Your DMO’s personal data policy should identify the data controller and how the data is processed. Confirming that your organization is controlling the data and revealing how it is being used are required by GDPR.
- You need to create processes that allow consumers to manage their data. The GDPR requires that E.U. residents can request and must be:
- Told if their personal data is stored and how it is being used,
- Given a free copy in a readable format of their personal data being stored,
- Allowed to have their personal data no longer processed, and even deleted in certain circumstances.
- GDPR requirements extend to third-party mailing lists and databases. If you buy or get access to another organization’s contacts that include E.U. residents, that organization must be able to demonstrate that the data was obtained in compliance with GDPR and that permission was granted for advertising purposes. It must not include contacts who objected to having their personal data processed.
- You need to comply with data breach reporting. If a breach occurs that puts individuals at risk, they must be notified within 72 hours of the incident. Risk may be rare for DMOs when it comes to personal data related to marketing activities, but always get legal advice in the event of any data breach.
Considerations for data processors
For most DMOs, the critical concern for data processing is reviewing contracts with vendors (email marketing services, cloud storage, etc.) who process personal data of E.U. residents. Your DMO must ensure its data processors have complied with GDPR and updated their documentation. Do not skip this step. The majority of responsibility for GDPR violations fall on the data controller. Making sure your data processors meet GDPR requirements is important for your DMO, because you choose which vendors manage your data. Choose the right ones.
Treating consumers with respect
With the recent string of high-profile, international personal data disasters (Facebook, Cambridge Analytica, Experian, etc.), the need for greater scrutiny and a shift in data control is overdue. The GDPR has been in development since 2012, so it is not a direct reaction to recent incidents. But it aims to put consumers in charge of their data. It is a legal solution to what should have been the standard of respect for consumers from the beginning.
Perhaps having as big a market as the E.U. rolling out these standards will push businesses around the world to opt for a single, ethical process for handling personal data. Even if companies do not embrace a newfound respect for people as the driver for changing processes, deciding to adopt one way of handling personal data is easier and more streamlined, and efficiency is a smart business choice.
To learn more about GDPR, go to https://ec.europa.eu/info/law/law-topic/data-protection_en
Next, read our two-part series on change management at the DMO.
Looking for international support for destination marketing and management? Contact Destination Think!’s agency and strategic consultancy.