You are here: > GDPR - General Data Protection Regulation

GDPR - General Data Protection Regulation

What is this guide about?

This guide explains our approach to personally identifiable data under the new GDPR regulations.  It will inform as to what New Mind tellUs need to do and what you will need to do as part of preparing for GDPR.  There is also a summary leading up to May 25th of what we plan to roll out and when.

What is GDPR?

General Data Protection Regulation (GDPR) extends the current Data Protection laws and applies to the personal data you control (e.g. names, addresses, telephone numbers, email addresses etc.). GDPR will come into force on 25th May 2018 and is a legal requirement.

Under GDPR you are the Data Controller and are ultimately responsible for your own compliance.
 
New Mind tellUs is the Data Processor and we will be making some basic changes to our systems to support GDPR compliance.
 
Note: New Mind tellUs is only one supplier and GDPR compliance of our solutions does not imply your overall compliance as an organisation. New Mind tellUs does not claim to be specialist GDPR consultants and you should not rely on anything in this document for your own GDPR compliance.
 
This web page summarises the system changes that we will be making with regard to GDPR and will be updated from time to time.
 

Some guidance

Information Commissioner's Office (ICO)  have provided a useful document with 12 steps for preparing for GDPR

Four of the steps are directly relevant to the New Mind tellUs etourism solution and our client's use of it. These are:

Point 3 - Communicating privacy information
Point 4 - Individuals’ Rights (specifically - Right to Erasure)
Point 5 - Subject Access Requests (SAR)
Point 7 - Consent

For visitor data

This section focuses on visitor data. There is a separate section of this guide covering B2B and trade data guidelines.

We have categorised personally identifiable visitor touch-points within our systems as follows:

Standard Forms where marketing consent is requested:

  • Visitor Registration
  • Online Booking Transaction Page
  • Newsletter sign up
  • Brochure Request

Bespoke Forms, which may ask for further consent:

  • Online Surveys
  • Competition responses

Other touchpoints that are not affected by GDPR as no identifiable consumer data is stored:

  • Data Capture Analytics
  • Cookie policy

Below are the two key visitor touch-points in the New Mind tellUs solution; Visitor Registration and Visitor CRM Management.


Fig 1 - Visitor website registration data flow


Fig 2 - Visitor CRM data flow

The above logical diagrams describe how Visitor data is received, processed and stored within our systems.  Please note that we can provide a full set of diagrams for all of the touch point categories described in the bulleted list above.

Now let's look at the points of interest listed in the ICO 12 step plan that are relevant to New Mind tellUs.

Point 3 – Communicating privacy information

Under GDPR there are some additional elements that need to be covered in your Privacy Policy, including but not limited to data retention periods.

What we will do: We are making additions to the system to allow us to link the active Privacy Policy to any consent actions on your website.  This means that when a visitor signs up using a Standard Form (see above) we will make sure that the currently active Privacy and Consent Policy are attached to the visitors consent action.
 
What you need to do: You will need to review and amend your Privacy Policy and Terms & Conditions to ensure that it is in line with your internal policies and procedures regarding the processing of personal data.
 
New Mind tellUs will be making changes to the basic template Privacy Policy that many of our clients have adopted. However, even if you choose to continue to use this, you should seek legal advice regarding how appropriate it is with respect to your own GDPR compliance. The ICO have published a useful Privacy Policy checklist on their website.

Point 4 - Individuals’ Rights (specifically - Right to Erasure)

This is also known as the ‘right to be forgotten’.

The principle is to allow an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing.

When a known user invokes their right to erasure you are obligated under GDPR to remove any and all personally identifiable data pertaining to that person. There are however some circumstances where the right to erasure does not apply and you can refuse to deal with a request. See ICO guidelines for details of these circumstances.

What you need to do: As the Data Controller, you need to clearly state on your website what your Right to Erasure process is and then respond to any subsequent requests that you receive. As part of this process you will need to verify the validity of the request.
 
What we will do: As the Data Processor we will respond to any Right to Erasure requests that you pass on to us for fulfilment.
 
We are also currently in the process of erasing any personally identifiable visitor data from our internal systems that you may not have access to e.g. any personally identifiable information that may exist in import or export csv files that we may still hold in our systems.

Point 5 – Subject Access Requests (SAR)

From the 25th of May 2018 you will have a month to respond to SARs.

What you need to do: As the Data Controller you are responsible for providing the information to the requestee. As part of this process you will need to verify the validity of the request.

What we will do:  We will ensure that you have sufficient access to visitor data that is stored in our systems such that you can respond to any SAR in a timely fashion.

Point 7 - Consent

Consent refers to how an individual gives you permission to contact them or otherwise process their data. This has been traditionally done through a data protection question on your web site forms.

Note: You don’t need consent to contact someone as part of an actual or potential contract (e.g. a booking). In this scenario, you could contact the person in relation to the booking but not for general marketing unless further consent had been given.

For consent we are focusing on Visitors. The key changes that impact New Mind tellUs systems are:

  • You cannot assume consent
  • You need to record how and when consent was obtained
  • You need to be specific if consent applies to other organisations
  • You need to allow people to easily withdraw their consent
  • You need to make sure that personal data is not stored for longer than is necessary.

What we will do: We will create a set of standard sign-up forms that cover:

  • Visitor Registration
  • Online Booking Transaction Page
  • Newsletter sign up
  • Brochure Request

These forms will require a distinct set of Consent Statements that will need to be separate and distinct from your standard website Privacy Policy. There will be no charge for the implementation of the Standard Forms.

Note: We reserve the right to charge for changes to Bespoke Forms such as:

  • Online Surveys
  • Competition responses

What you need to do: You will need to create the Consent Statements and any appropriate extra information for each form.

Existing Visitor CRM Data

If you have not done so already, we strongly recommend that you undertake a full audit of your existing visitor data and identify an appropriate lawful basis for processing.

If you cannot prove a connection between previous consent and a set of terms and conditions then this invalidates any right to retain personal data.  This applies to both of the examples below.

If you have been using forms with a default opt-in option checked (see example below) then under GDPR rules this is not considered consent, and you will not be able to use this method going forward.


Fig 3 - example of auto opt-in - checked by default

Any visitors that have signed up previously using forms where they explicitly have to opt-in to consent (see below) is also not considered consent without some additional information. Remember that unless you can prove an attachment to a set of Terms & Conditions then consent is also considered not applicable. 


Fig 4 - example of opt-in required by selection - unchecked by default

Note: In both the above cases, it is possible to seek fresh consent from these visitors via a re-permissioning campaign which should be distinct and separate from any marketing emails.
 
Our recommendation is that unless you have GDPR compliant consent, you cannot legitimately continue marketing to these contacts after 25th May and this data should be removed. As the Data Processor, New Mind tellUs can only act on the documented instruction of the Data Controller (you) so we will only undertake requests for the removal of data if they are put in writing.
 
Note: We reserve the right to charge for complex data manipulation and deletion.
 
What you need to do: If you believe that you have any visitors that you are not eligible to continue to contact then you will need to write to us, detailing which contacts these are (e.g. all contacts signed up before a given date) and we will bulk delete these records. However, we will be acting as data processors under your instruction and any legal ramifications of the usage of that data will reside with you, the data controller.
 
Note: Any third party email marketing systems you use that contain visitor/contact data are outside the responsibility of New Mind tellUs and we recommend that you work with your email marketing supplier on how best to manage your contact data. If you subsequently wish to re-import any clean, GDPR compliant data into the DMS, then this will have to be handled as a chargeable service request.
 

Summary of activity over the next few months

April

  • We will have identified and removed any personally identifiable data stored outside of the eCMS and DMS.
  • We will build the new standard forms with attached data protection and consent information in the eCMS

May

  • We will release the new standard forms at the next scheduled system release (8th May)
  • On written request from you, we will bulk remove any non-compliant GDPR visitor data
  • We will remove Contact / Organisation / Visitor view permissions for estates (which means that you will only see the data that is in your estate or any that you legitimately share with another destination). 
  • If you have your updated data protection and consent content ready ahead of this time then you can easily add them into the eCMS.
  • After the 25th of May any consent received from visitor will be logged against the specific data protection and consent terms and conditions as they existed at the time of consent.

For trade data

The ICO lists 6 bases under which you can lawfully process personal data - we consider the bases for trade data are: ‘Legitimate interests’ or ‘Public task’, and ‘Contract’.

We are assuming that you are covered by one of these three bases and therefore do not require consent to contact or deal with B2B clients or trade partners.


Fig 5 - Product data capture

Implications of GDPR for trade data

  • Businesses need to know they are referenced in the ‘DMS’ and what this means (eg publication on websites, contact by DMOs)
  • Businesses need to know what information you store about them (SAR)
  • Businesses need to know how to remove their business from the DMS
  • You need to ensure that trade data is not stored for longer than is necessary

What we will do: We will create an extra option in the DMS that will allow the business to set an essential emails only flag via the extranet.  We will also allow the DMO to set this flag on the behalf of business contacts that do not have access to the Provider Extranet.  This means that you can allow businesses to say if they want to receive general marketing information or not.

What you need to do: Share the DMS reference details with your B2B contacts (if they don’t already have them).  Inform them of the ‘essential contact only’ option that can be set against the contact details we store against them in the DMS. Make sure that businesses are aware that they are part of the DMS and what this means.

Here’s a sample set of T&C’s for Trade Data:

‘[Your Country] organisations promoting tourism, including New Mind tellUs, who use the DMS and eCMS (operated by New Mind tellUs), may process your business data. The lawful bases for processing your business data may be ‘Contract’, ‘Legitimate Interests’ or ‘Public Task’, depending on the organisation and nature of the processing. This is processing you may reasonably expect, relating to your business presence on tourism websites and your use of New Mind tellUs systems. If you wish to be removed from the DMS, please contact your data steward …. As part of the processing the organisations may contact your business about your use of the DMS, updating your entry on a tourism website, or how to use system features that could benefit your visitor numbers or visitor spend.’

Some guidance on the above example:

  • Make sure you only use the data in the DMS for the purposes described above.
  • Honour the non-essential emails flag; only send ‘contract’ type emails (e.g. membership renewal, annual data collection) to businesses who have opted out.