By on

GDPR. No, it’s not just another buzzword that’s afloat on the internet. Everyone with a website needs to pay attention!


What is GDPR?

GDPR stands for General Data Protection Regulation and it goes into effect internationally on the 25th of May 2018. GDPR is an updated version of the Data Protection Directive that has been in effect since 1995. In the simplest terms, it boils down to protecting the rights of people who give you their personal data.


What personal data you may be collecting?

If you have Google Analytics, videos played on your site from YouTube, an e-commerce function that collects billing information and other features that load automatically on your site via “cookies” then you are collecting personal data.

GDPR does not only affect your business and your website but also any 3rd party providers, which in the travel industry means your booking engine provider also.

Be sure to check that they already changed and adjusted to the GDPR. This should be accessible via your contract with your provider and/or on their website’s privacy policy.

Since they act as a data processor, they will need to have appropriate security measures in place and notify you of any breaches that happen.


Who does GDPR apply to?

The biggest misconception about GDPR is that you only need to be compliant if you run a business out of one of the EU member states. It actually applies to any business that does one of the following:

  • Actively offer products or services to EU residents
  • Collect personal data, including pseudonyms, from citizens of the EU

So whether you’re a business based in the US or  New Zealand, you are required to comply with the GDPR. In essence, any business that has a website should be concerned about this law as you really can’t control who visits your website.


What you need to do

Now let’s drill down into what you need to be doing to your site to ensure compliance:


If you don’t have this yet, it is the first thing that you need to do. We recommend writing your privacy policy in accordance to Article 12 of the GDPR which shows that you process personal data in a way that is transparent, concise, intelligible and easily accessible. In other words, try to explain in plain English:

  • What data you are collecting
  • How you collect the data
  • What it will be used for
  • How you secure it
  • Any third parties that will have access to it
  • What your cookie policy is and what cookies are loaded on your site
  • Controls that the user can have over this data collection

We highly recommend adding your privacy and cookie policy to the footer of your website and linking it to any opt-in you have on the site.

A simple Google search will provide a number of free privacy policy templates that are available. However, should you choose this option we recommend due diligence to ensure that it complies with Article 12 of GDPR and/or seek legal advice. 



If you are collecting names or emails and/or if you have Google Analytics you are collecting data and using “cookies.”

Cookies are small files that are automatically dropped on your computer as you browse the web. Cookies themselves are harmless bits of text that are locally stored and can easily be viewed and deleted. But cookies can give a great deal of insight into your activity and preferences which can be used to identify you without your explicit consent.

There could also be other 3rd party systems like social media integrations added to your website that can gather data and they may also use Cookies to gather this data.

Under GDPR, you must advise website users that you are using Cookies and what your Cookie policy is. You have probably already seen the warning over the last year on sites.

Another consent mechanism to be aware of is your newsletter signups: that opt-in box that already has a check. Well, in the new world of GDPR compliance, that is a big no-no. Think: Active Opt-in. The concept of consent under the GDPR gives importance to consent being freely given, specific and informed. So before you start collecting any information make sure the consent is clear, affirmative and explicit.



Make sure you have appropriate security measures in place for the data you store, process and keep written records of the personal data processing activities you carry out. Only keep the personal data for as long as it is necessary.  How you and your staff handle personal data in your everyday business activity must be controlled and protected.


Next Steps

If you are not yet working towards GDPR compliance, the time to do so is NOW.

There are big penalties that come with non-compliance.

Read more articles

Get Tourism Marketing Tips and More

Follow Us

Love what you see? Let us know how we can help grow your business.

get in touch

Our Partners

  • PATA logo
  • Investors in People silver award
  • Payment Express logo
  • Tourism Industry Association of NZ logo
  • Westpac Auckland Business Awards logo
  • California Hotel and Lodging Association logo
  • California Association of Boutique and Breakfast Inns logo
  • New Orleans Convention and Visitors Bureau logo
  • Greater New Orleans Hotel and Lodging Association logo
  • Louisiana Travel Promotion Association logo
  • Mid South Women in Tourism logo