Resort Support

The everyman guide to EU’s General Data Protection Regulation (GDPR)

This article contains information about legal frameworks and compliance related to personal data, specifically in relation to the upcoming General Data Protection Regulation (GDPR) from the EU legal eagles. Exciting huh? Yeah, okay so maybe not, but it is vital that you know about it for your business where ever you are based.

On the 28th May 2018 the law will change in regards to personal data. If your company holds any personal information about any people within your business, this new GDPR law will affect you. The General Data Protection Regulation (GDPR) is a new European Union regulation that aims to protect personal data, there are only a couple weeks left for compliance; will you be ready?

Also you should be aware that this wasn’t thought up after the Facebook privacy debacle early in 2018, but years ago:

After four years of preparation and debate the GDPR was finally approved by the EU Parliament on 14 April 2016. Enforcement date: 25 May 2018 – at which time those organizations in non-compliance may face heavy fines.

In this article we will look at these new regulations and try to simplify them and to give you and your business all the information you need within 22 short and sharp facts and tips.

Do you collect data?

Quickly to start with, do you actually collect data? More than likely is the answer. If you do, or have any of the following, then you collect personal data:

  • Contact Us form on your website
  • Email marketing (sign up for our newsletter!)
  • Book Now button on your website

GDPR Basics

1. The GDPR will apply to all organisations (yes governments/ NGOs/ charities/ companies/ sole proprietors etc etc) that serve or have clients who are EU citizens. So even our companies that are based outside of the European Union but have customers within it are still expected (read legally need to) to comply.

2. It doesn’t matter how big or small your business is, this law applies to everyone and every organisation if it has any personal information about any people in its files/databases.

3. According to the GDPR personal data is defined as information that is private, professional or public. Some of the obvious examples are names (first, middle, last and title), addresses, emails, bank details, credit card details, medical info and even an IP address (think about website analytics and tracking…). And it’s not just the stats in your marketing database but also includes photographs, and even social media posts are considered as personal data within the regulation (do clients post pics on your company Facebook page???).

4. Information from national security or law enforcement is not part of the personal data classification by the GDPR. Yes, the CIA, FBI, MI5, Interpol and police are exempt! They can keep whatever they want about you and not tell you.

5. One of the intentions of the regulations is to stop companies making unfair decisions using algorithms. It has been argued in the past that algorithmic decision making is fairer because it is removed from human judgement. Of course along with judgement, compassion has also been removed and this process has been criticised for excessive discrimination.

6. Under these new GDPR regulations if decisions about EU citizens are made using algorithms, (this is all about marketing and targeting and advertising using this data) they can be legally challenged. This is a BIG hit to marketing online.


All about deleting data on 18th May 2018

7. After May 18th 2018, people in the EU can request that organisations delete any  and/or all of their personal data in the database. (this is the “Right to be Forgotten” taken to new level)

8. All organisations will have to delete information when the purpose for its collection is no longer relevant. i.e. a client from 4 years ago who has not communicated since, is probably not deemed relevant = delete it.

9. All organisations will have to delete information that was collected without informed and clear consent. Even if they have clicked a box 2 years ago saying yes email me, we need to ask them again specifically before 18th May. If we don’t get a ‘yes I consent”  =  delete their email and data from your database. That could reduce the size of our MailChimp lists significantly!

10. All data that has been used illegally will also have to be deleted by law. Kind of goes without saying, but if you have bought any email list, and the people haven’t given consent, then get it out of your database.

11. In some cases deleting data does not necessarily make it secure. Hackers can still access deleted files. The solution is to encrypt the documents and then delete the encryption key. This way the data is unreadable.

The Nasties – Rules and Penalties

12. Larger organisations will for sure be required to employ specific data protection officers.

13. If any organisation experiences a data breach, they must notify the supervisory authority for your area, but just as importantly the individuals whose data was stolen must also be informed.

14. Breaking the GDPR comes with tough financial penalties. Companies could be hit with a €10,000,000 fine or 2% of their annual turnover. For more serious cases the penalty could be as much as €20,000,000 or 4% turnover.


Your Probable Next Steps

15. The first thing to do is to complete an audit using the GDPR legal framework as a guide. By doing this you will identify if your business is already adhering to regulations, and if not, then in what areas are fixes needed.

16. If you operate globally (and let’s be honest most of my resort clients are all about international clients), try to specifically identify data from EU citizens (look for and email addresses etc in your database)

17. Identify other businesses and organisations that are controlling, processing or storing this information for you. Think about your web hosts, banks , booking engines, Paypal, Stripe, Square, Expedia etc etc etc. Make sure you include disclosures and info to your clients about them too.

18. Identify who has access to the personal data you hold. Think specifically which software solutions use the data, again think booking engines at Online Travel Agents (OTAs)

19. Look at your current procedures for protecting the data. Do you use psuedonymisation or encryption to store the client database? Or do you ever download it as an Excel spreadsheet (unlocked??? EEEK!) If you think that need to take steps to ensure greater protection is put in place, then this needs to be done before May 18th.

20. Remember to also check any data that you back up; this too needs to be protected. Look at your website backups, do they store the database too?

21. From this initial audit onward, keep a record of everything you do to protect data to prove you are pro-active about this. If you are ever investigated by the GDPR Supervisory Authority, you will need evidence that you are taking the best action you can.

22. Put into place new data handling practices so that as you obtain new data it is automatically protected. This is what the GDPR describes as “data protection by design and by default.”

You are not alone in this

By now all this talk of data protection, encryption, legal frameworks, fines and compliance may be making your head spin, and if its not then you don’t get it yet LOL 😀

However relax a bit and realise that you are not alone. There are literally millions of organisations affected by this and everyone is scrabbling to make sure they don’t fall short.

Knowing that you are not alone is very powerful in business. Reach out to your business network (local Chamber of Commerce or Hotel Association), share your concerns and you will be surprised by the practical support you will receive in return.

For a simple guide from the UK agency in charge of this, and a more in depth read about it all, download this: Preparing for the General Data Protection Regulation (GDPR) 12 steps to take now 

If you need more help with this, get in touch with me at

Scroll to Top