GDPR – What’s It All About?

In this post:  we’ll discuss the General Data Protection Regulation (GDPR), data protection and privacy rights in the European Union (EU), how it impacts transactions and marketing and non-compliance.

The General Data Protection Regulation (GDPR) in the European Union (EU) will go into effect on May 24, 2018. If you have had or anticipate having customers from any of the member countries of the EU*, you will need to protect their data and privacy. Approved in April 2016, businesses have had more than two years to prepare or face steep fines for non-compliance.

We’ve created this special blog post to help you understand these regulations.

Note:  We are not attorneys or lawyers but rather marketers who have reviewed multiple websites and compiled the following information.

If you have guests who visit your travel-related business or who sign up for your newsletter and reside in the European Union* (EU), you will need to protect their data and privacy. The penalties imposed by the EU are sizable.

The need to report data breaches immediately is said to be a major reason behind the new regulations. Think – Equifax (credit reporting), Target, Anthem (health care), eBay, Yahoo, Ashley Madison (affairs), JP Morgan Chase (financial), Home Depot (home improvement), Sony Pictures (entertainment – hack prior to the movie “The Interview,”) Citibank (financial), Heartland (credit card processors) and …

We are unable to determine what else will trigger the GDPR’s penalties and fines but it may be individuals reporting:

  • His or her data was breached
  • He or she did not authorize or recall authorizing certain communication
  • He or she was unable to unsubscribe
  • He or she unsubscribed and continue to receive communication

While meeting the EU’s requirements may reduce the size of your overall database, in our opinion, the new required regulations are in general smart business and marketing practices.


The General Data Protection Regulation (GDPR) impacts current and past guests.

You will need to ask permission from those you previously communicated via email to make sure they want to continue to have their information on file and are open to receiving information in the future. It applies to anyone making reservations and sending emails moving forward, too.

If you only collect an email address for newsletter sign-ups (and not a country or zip code) that may necessitate your contacting your entire email list and asking everyone to opt-in. If you can segment your list, you may decide to only communicate with those in the EU.

Here’s how GDPR will work. Individuals need to take an “action” in order to join a list. We recommend this be done one of two ways:

  1. Require a check box when asking to collect information:

    [   ] Yes, I want to receive promotional information, such as newsletters from XYZ Company. For more details about how we use your information, please visit our privacy policy page.  [Add a link to your privacy page.]

  2.  Set up email collection as a double opt-in.

    This requires all subscribers, once they enter their email address and click submit, to receive an email requiring them to then confirm they want to sign-up. If they do not confirm, your email system will not allow them to be added to the list.

    They most likely will appear on your list as “unconfirmed.” Double opt-ins work best when the person subscribing is advised to check their emails.

Make it easy for someone to opt out. Make sure the font is in a readable size and color.

If you have an email sign-up sheet in your gift shop, tour check-in or tasting room, it no longer automatically give you the right to use that individual’s address to send them promotional emails according to everything we’ve read on the subject.

If someone asks to be removed from your database, it must be done within one (1) month and be free of charge. In many cases, software that you use for email collection and merchandise sales “should be” updated by the vendor to easily handle data removal requests.

Many vendors have already communicated their updates to software and privacy policies. If you have an account with Google, use an email system or social media, it’s likely you’ve received an email in recent weeks detailing how each is protecting its users’ data and privacy.

Do you buy mailing lists?

If it contains data for anyone living in the EU, you’ll want to know that the person who collected the information was and is GDPR compliant. It’s no longer enough to have an existing business relationship or to be a previous customer. A specific action is now required to authorize your OK. If you purchase a list, ask the list provider to send you an email confirming the data collection is compliant. In that way, if your company is contacted by the UE, you can show proof of due diligence.


Data of any type – whether held in the cloud, on your server, on a computer, in your emails or in paper format need to be protected. This includes using anti-virus software, a fireproof box or a locked room. How secure is the data? Did you just assume it was OK until now?

If you maintain data and don’t have a mechanism in place, now is the time to establish a system by which you maintain it – how to add, edit, delete and permanently delete. Think about all the ways in which you collect data. (See Private Policy bullets below.)

Name someone as the person in charge of data security, privacy and protection.

Communicate to all employees via email and in a training session who is in charge of the data and provide a macro understanding of what is stored and what is involved to remove someone’s data. Explain the safety measures by which it is protected. Add this information to your employee manual.

Communicate in detail to all members of the leadership team via email and in a training session on a micro level the same information. Explain the safety measures by which it is protected.

Do you have a way to permanently remove data? Does this include backup storage drives or servers, if someone asks for his or her data to be removed? Unless you keep it in a spreadsheet or as part of your accounting software, many of the third-party software providers may be handling it for you.

Don’t hold data unnecessarily. Use it for its intended purpose only.


Click to view an example of a General Data Protection Regulation (GDPR) privacy policy that addresses the following:

  • What information is being collected?
  • Who is collecting it?
  • How is it collected?
  • Why is it being collected?
  • How will it be used?
  • Who will it be shared with?

What if you sell your business? Can you simply pass along to the new owner the list? Answer:  0nly if your privacy policy clearly includes an assignment clause.

For more details on the European Union’s General Data Protection Regulation (GDPR), click here.

To learn more about Flying Compass’ services, click here or contact us.

*European Union countries as of May 20, 2018 courtesy of EU Travel and Information Authorisation System (ETIAS)**

  • Austria
  • Belgium
  • Czech Republic
  • Denmark
  • Estonia
  • Finland
  • France
  • Germany
  • Greece
  • Hungary
  • Ireland***
  • Italy
  • Latvia
  • Lithuania
  • Luxembourg
  • Malta
  • Netherlands
  • Poland
  • Portugal
  • Slovakia
  • Slovenia
  • Spain
  • Sweden
  • United Kingdom***

4 non-EU member states

  • Iceland
  • Liechtenstein
  • Norway
  • Switzerland

3 micro-states de factor part of this Schengen* Area:

  • San Marino
  • Vatican City State
  • Monaco

4 countries that will be part of the Schengen Area.

  • Bulgaria
  • Croatia
  • Cyprus
  • Romania

**According to the ETIAS, the border-free Schengen Area guarantees the free movement of EU citizens in the EU territory as well as other non-EU citizens who are legally authorized to stay in this area either for a short or long period. This enables authorized people (EU and non-EU citizens) to cross the internal border without being subject to border controls.

***Scheduled to exit the EU on March 29, 2019

Skip to content