General Data Protection Regulation (GDPR) - Information for our clients

General Data Protection Regulation (GDPR) builds on the concepts of the current Data Protection Act (DPA) and applies to the personal data you control. GDPR came into force on 25 May 2018 and is a legal requirement to implement.

To help you prepare, we created this page with all the relevant information and it will be updated regularly as the deadline approaches.

GDPR is involving changes to the system to allow you to be compliant. We are not charging for the basic changes but if you require any additional changes or data updates then these will be chargeable.

As we are aware that GDPR is something that all clients will need to fully understand, we held a webinar on 13 December 2017 to go through all the items you will need to consider to ensure you are compliant for visitor data across the marketing and operational databases.

We held the webinar to discuss Trade Data on 6 March 2018 please see trade section for full details.

Last updated: 09/07/2018

Key Concepts

GDPR applies to personal data, such as the names and email addresses you might collect through bookings, orders and CRM forms. It also applies to businesses that are sole traders or partnerships.

From 25 May 2018 GDPR gave individuals with many rights, including; being informed where their data is stored, how it is used, (e.g. for contacting them or research) and rights regarding access, rectification & erasure.

For much of the data in the NVG system, you are the data controllers and we are the data processor. The responsibility for GDPR lies primarily with you, the data controllers. We implemented some system developments to make that easier for you.

The ICO has produced the 12 steps to take now for compliance (link under resources) and we have identified the main four points that relate to NVG systems.

The points of focus are:

Point 3 - Communicating privacy information

Point 5 - Subject access requests

Point 7 - Consent

Point 9 - Data Breaches

Resources

An official source of information for GDPR is the Information Commissioner's Office website, https://ico.org.uk

How we will be helping you

This section explains how the implementation of GDPR will effect the data held in Destination Centre. There are different types of data held and we will be discussing all the ways in which we will be helping you stay compliant.
 
Phase 1 - (implemented)

Phase 2 - (implemented)

Phase 3 - (implemented)

  • New Data Protection questions in use
  • New Privacy Policy in use

Phase 4 - (implemented)

Phase 5 - (implemented)

  • Guestlink + Diary Data

Phase 6 - (implemented)

  • Relationship Builder decommission
  • Delete eMarketing records with no Data Protection Question and Answer - Wednesday 16 May.
  • Delete operational data that is unused for more than 18 months - Wednesday 9 May.
  • Delete eMarketing data that is unused for more than 24 months - Wednesday 16 May.

Operational Database

Visitor data includes the collection of consent from customers making enquiries and bookings through your website. The changes require that you must state at all times the marketing organisations the individual is signing up to. This is normally done using the Data Protection Question on booking and enquiry forms. You must also store the question and answer given at the time of consent.

Changes to the Data Protection

As part of GDPR you must not default data protection question to be yes and the individual must only be opted in if they choose to be.

For instructions on setting up your New Data Protection question(s) please visit https://www.nvg.net/data-protection-tool.aspx. These questions will be used from February 2018.

NVG have updated VBOE (view bookings, orders and enquiries) and MOE (manage online enquiries) to list the question and answer the individual selected at the time of the enquiry which is a requirement of GDPR.

Extension to how long visitor data remains in VBOE and MOE

We will be extending the time from 13 months to 18 months. Please be aware that NVG will no longer be archiving the data after this period to remain compliant and it will be completely deleted, as mentioned above this will commence from March 2018.

Relationship Builder

We will be decommissioning the Relationship Builder tools as it will no longer be an option under the new GDPR legislation. This will be done before the date the law comes into force.

 

 

 

Consent and Data Protection

Customer Reviews

We will be updating the customer reviews to only include the initials of the guest and their country and making these non-editable. The objective is to remove any identifiable personal information for the Guestlink reviews system.

eMarketing Database

As part of GDPR the eMarketing Database will only contain records for which the customer has agreed to receive newsletters from your organisation. We are working on ensuring that the Data Protection question and answer from their most recent communication is saved and you will be able to update the answer if the customer contacts you directly.

Please visit our page about the changes https://www.nvg.net/emarketing-updates.aspx.

We have also written an FAQ with tips on how to clean up your eMarketing data.

Privacy Policy

GDPR states that the Privacy Policy on websites includes details of how details will be used, retention policy and how to request a Subject Access Request.

NVG have updated our standard Privacy Policy template to reflect the required changes. You may need to add additional details about your organisation when this change has been implemented for full details please visit our page which gives full instructions on completing the setup https://www.nvg.net/privacy-policy-updates.aspx

Any client using a non standard NVG Privacy Policy will be required to update their version to give the details required.

We will be adding a link to the Privacy Policy next to the Data Protection Question on the websites, as GDPR requires that it is prominently displayed.

For instructions on setting up your New Data Protection question(s) please visit https://www.nvg.net/data-protection-tool.aspx.

Trade Data

Thank you to all who attended the trade webinar on 6 March 2018.  This webinar explained how the business needs to know that they are part of the Guestlink database and where they are published.

We have updated Guestlink so that businesses are aware when updating their details in Guestlink > Update > Details > Processing of your Business Data.  This tells the businesses about the usage of their data and provides an opportunity to opt out of non-essential communication:

"United Kingdom organisations, including NVG, promoting tourism and local businesses, who use the Guestlink database (operated by NVG Ltd), may process your business data. The lawful bases for processing your business data may be ‘Contract’, ‘Legitimate Interests’ or ‘Public Task’, depending on the organisation and nature of the processing. This is processing you may reasonably expect, relating to your business presence on the organisations' websites and publications and your use of Guestlink.

If you wish to be removed from the Guestlink database, please contact your data steward [Data Steward Details]

As part of the processing the organisations may contact your business about your use of Guestlink, updating your entry on the organisations' websites and publications, or how to use system features that could benefit your customer numbers or customer spend.

[ ] Tick this box if your business does NOT wish to be contacted about non-essential matters."

As a data steward or website owner, you also need to have processes in place when your contacting the trade. For full details please visit https://www.nvg.net/client_gdpr_responsibilities.aspx.

We have a proposal for dealing with deletions/pending records and we have outlined the details on https://www.nvg.net/proposed_trade_data_retention.aspx.