Consent, consent and more consent: Simpleview’s practical guide to the GDPR

Eric Rankin, vice president of Product Development at Simpleview, a US-based provider of digital strategy and marketing solutions for destination marketing organisations (DMOs) worldwide, provides some tips that could help you prepare for compliance with the General Data Protection Regulation (GDPR).

In a nutshell, what does GDPR mean to the global meetings industry?

The purpose of the EU GDPR is to protect the personal data of residents of the EU online. It gives EU residents more control over if, how, when, and how much of their data is used. If you have personal data of EU residents or EU business contacts in your databases, GDPR will affect how marketing is done in the years to come.  GDPR was not a total shock to the system for us. It’s not unlike the Canadian anti-spam law, CASL, which came out in three stages in 2014, 2015, and 2017. The primary details are the same: consent, level of consent, fines for non-compliance. The GDPR requires greater accountability, however.

In practice, how will GDPR change the way we do things?

It means that in your marketing practices, what you communicate to whom and when is going to matter. Be clear you know who you are communicating to (did they consent to your communications?), and what you are communicating to them (did they specifically consent to the type of information you’re sending?). Only collect information to communicate what you need to successfully. This has long been a best practice recommendation at Simpleview.

If all you really need is an email address to send a digital event brochure, request consent for that information for that purpose. If you have offices anywhere in the world, and want to be able to send follow-up information to a EU citizen about your venue or destination after the initial brochure is sent, with the EU GDPR in place, you’re going to need consent to gather further data to target relevant messages, and to keep sending those messages.

What else should we keep in mind?

With EU GDPR regulations, consumers also have the option now to review the data you’ve collected on them, and to request that you delete it. You’ll want to be sure you have processes in place to do this.

And, as always, make sure the data you collect is secure. Are your partners also compliant? Are the tools and processes of your data processors compliant? For example, DMOs are controllers of information. Simpleview serves as a processor. Both data controllers and processors have responsibilities to maintain EU GDPR compliance, and in some places, these overlap. Compliance and consumer data protection is thus a dual responsibility, a shared responsibility. Both controllers and processors must have systems and processes in place to ensure proper GDPR compliance.

The gist is this: Communicate responsibly and respectfully. Collect only the data you need to collect to do your job, and do it with consent. EU-consumers and EU-business contacts need to opt in, sometimes twice, not opt out. They need to give you clear permission up front to collect their data. Do all you can to keep that data as secure as possible, and work with your partners—your data processors—to ensure the same on their end.

What should we do to prepare for the GDPR compliance by the May 25 deadline?

Read and understand the EU GDPR, and make sure your staff understand what’s required to achieve and maintain compliance. Understand the EU GDPR’s definitions of terms like personal data, consent, opting in, controller, and processor. Know the details, like “the GDPR will supersede any and all existing data privacy and protection laws currently upheld by the EU’s member states.” Then it’s time to adapt. Put policies in place to ensure everyone on staff follows the same processes to continue compliance. And be sure to pick the right partners when it comes to data collection and storage. Know what they are doing to be compliant, and know that in Simpleview’s case, we’re connecting with our partners, like Act-On, Cvent and Stackla, to do the same.

Whatever software an organisation employs, they need to consider whether their systems can collect the data and be compliant with the EU GDPR. Yet the human factor is just as important. Software can’t solve everything. Each organisation has to have rules in place around the use of their systems and process to ensure compliance. Again, compliance is a shared responsibility, on the software side and the human side, but along with offering software and digital marketing solutions, we’re happy to consult and provide guidance in any way we can.

How did an American company like Simpleview become familiar with the European regulations?

Simpleview has been in travel and tourism for 15+ years. We’ve been doing business overseas since 2012. We work with convention bureaux and tourist boards in approximately 540 cities across five continents, providing industry leading CRM and CMS systems, plus digital marketing, website design, business intelligence, and mobile services.  We understand the global travel and tourism community and how business is done where. Our system is designed to work the way DMOs and the job roles within them need it to work. Our technology experience puts us in a position to understand and be comfortable with specific and varied technological requirements, whether it’s EU GDPR regulations, Canada’s Anti-Spam Law (CASL), or Germany’s double opt-in procedure.

www.simpleviewinc.com