General Data Protection Regulation (GDPR) - Information for our clients

General Data Protection Regulation (GDPR) builds on the concepts of the current Data Protection Act (DPA) and applies to the personal data you control. GDPR will come into force on 25 May 2018 and is a legal requirement to implement.

To help you prepare, we have created this page with all the relevant information and it will be updated regularly as the deadline approaches.

GDPR is involving changes to the system to allow you to be compliant. We are not charging for the basic changes but if you require any additional changes or data updates then these will be chargeable.

As we are aware that GDPR is something that all clients will need to fully understand, we held a webinar on 13 December 2017 to go through all the items you will need to consider to ensure you are compliant for visitor data across the marketing and operational databases.

We will be holding another webinar to discuss Trade Data on 6 March 2018 please see the February Monthly Newsletter for the sign up form.

Last updated: 08/02/2018

Key Concepts

GDPR applies to personal data, such as the names and email addresses you might collect through bookings, orders and CRM forms.

For much of the data in the NVG system, you are the data controllers and we are the data processor. The responsibility for GDPR lies primarily with you, the data controllers. We are planning some system developments to make that easier for you.

The ICO has produced the 12 steps to take now for compliance (link under resources) and we have identified the main four points that relate to NVG systems.

The points of focus are:

Point 3 - Communicating privacy information

Point 5 - Subject access requests

Point 7 - Consent

Point 9 - Data Breaches


An official source of information for GDPR is the Information Commissioner's Office website,

How we will be helping you

This section explains how the implementation of GDPR will effect the data held in Destination Centre. There are different types of data held and we will be discussing all the ways in which we will be helping you stay compliant.
Phase 1 - (implemented)

Phase 2 - (implemented)

Phase 3 - (implemented)

  • New Data Protection questions in use
  • New Privacy Policy in use

Phase 4 - (implementation by March 2018)

  • Trade Data (e.g. accommodation and non-accommodation details)
  • Subject Access Requests (SARs)
  • Data security review for GDPR

Phase 5 - (implementation by April 2018)

  • Guestlink + Diary Data

Phase 6 - (implementation by May 2018)

  • Relationship Builder decommission
  • Delete eMarketing records with no Data Protection Question and Answer
  • Delete operational data that is unused for more than 18 months
  • Delete eMarketing data that is unused for more than 24 months

Operational Database

Visitor data includes the collection of consent from customers making enquiries and bookings through your website. The changes require that you must state at all times the marketing organisations the individual is signing up to. This is normally done using the Data Protection Question on booking and enquiry forms. You must also store the question and answer given at the time of consent.

Changes to the Data Protection

As part of GDPR you must not default data protection question to be yes and the individual must only be opted in if they choose to be.

For instructions on setting up your New Data Protection question(s) please visit These questions will be used from February 2018.

NVG have updated VBOE (view bookings, orders and enquiries) and MOE (manage online enquiries) to list the question and answer the individual selected at the time of the enquiry which is a requirement of GDPR.

Extension to how long visitor data remains in VBOE and MOE

We will be extending the time from 13 months to 18 months. Please be aware that NVG will no longer be archiving the data after this period to remain compliant and it will be completely deleted, as mentioned above this will commence from March 2018.

Relationship Builder

We will be decommissioning the Relationship Builder tools as it will no longer be an option under the new GDPR legislation. This will be done before the date the law comes into force.




Consent and Data Protection

Customer Reviews

We will be updating the customer reviews to only include the initials of the guest and their country and making these non-editable. The objective is to remove any identifiable personal information for the Guestlink reviews system.

eMarketing Database

As part of GDPR the eMarketing Database will only contain records for which the customer has agreed to receive newsletters from your organisation. We are working on ensuring that the Data Protection question and answer from their most recent communication is saved and you will be able to update the answer if the customer contacts you directly.

Please visit our page about the changes

We have also written an FAQ with tips on how to clean up your eMarketing data.

Privacy Policy

GDPR states that the Privacy Policy on websites includes details of how details will be used, retention policy and how to request a Subject Access Request.

NVG have updated our standard Privacy Policy template to reflect the required changes. You may need to add additional details about your organisation when this change has been implemented for full details please visit our page which gives full instructions on completing the setup

Any client using a non standard NVG Privacy Policy will be required to update their version to give the details required.

We will be adding a link to the Privacy Policy next to the Data Protection Question on the websites, as GDPR requires that it is prominently displayed.

For instructions on setting up your New Data Protection question(s) please visit

Trade Data

We will be holding a webinar to discuss our proposal for how GDPR will impact your communications with your trade contacts. The webinar will be held 6 March 2018 at 11am.

We strongly recommend you attend the webinar as this will cover all uses of Trade data including using our bMarketing system or exporting and using the via a third party. To join our webinar please complete the online sign up form from the February Monthly Newsletter.