Data. It’s a bit of a boring subject, right? Most of the time the answer to that question would be a resounding ‘yes’ but a seismic change in law is about to make this a big issue – and one you will not be able to ignore (no matter how boring you think it may be).
So, what, exactly, are we talking about? Welcome to the world of General Data Protection Regulation (GDPR). And it’s one you’re going to get to know very well over the coming weeks and months…
What is GDPR?
Put simply GDPR is an update and revision to our existing data protection laws. In real terms it is a major shake-up of how we all process, handle and store personal and customer data – and punishment for those who flout the laws also just got a lot tougher, too.
Let’s start with a quick history lesson… Up until now those living in the EU have been working under the Data Protection Directive, which was initially approved over 20 years ago. This directive sought to protect the privacy of European citizens and restrict the distribution of sensitive personal data. GDPR has been developed to standardise data protection requirements for all EU countries. It came into law in April 2016 and, for the last two years there has been a grace period, before coming into full effect on May 25th, 2018.
How will GDPR effect holiday parks and campsites?
Its impact will be huge for our industry. Perhaps one of the biggest changes will be regarding customer consent. Currently, 99.9% of the data that you hold will have been obtained under the guise of ‘implied consent’ – that is consent that was granted by assumption or someone’s actions rather than their direct permission. For example, a customer could’ve been added to your mailing list by filling in a form on your website where the ‘join our newsletter’ checkbox was already pre-checked – an assumption that they wanted to sign-up. Or, perhaps a customer may be on your mailing list because they once requested a brochure 10 years ago (but have never, to your knowledge, actually booked a holiday). We’re assuming they’re still interested.
Well, all that is about to change. GDPR demands that you must get explicit consent from customers. Put simply, for many of you that will mean re-contacting your customers and asking them if they still want to receive marketing information from you. If they say ‘no’ or don’t contact you then you can’t, legally, send them marketing information and they should be removed from your database. Silence does not imply consent.
The thought of this, for some, will make your blood run cold. Potentially those with giant email databases, containing thousands of email contacts, that could be very quickly be cut down to a more modest size.
Some of you may also read this and think ‘the powers-that-be aren’t going to care about a little campsite in the middle of nowhere sending out an email to a customer, are they?’ and that you can get away with carrying on regardless. Maybe… maybe not – but do you really want to take the chance? All it takes is for a customer to complain to the Information Commissioner’s Office and a business can be fined 20 million Euros or 4% of their global turnover, whichever is higher. Not really worth the risk for the sake of a few emails, is it?
It’s not all bad news
Put down the shredder and move the cursor away from the ‘delete all’ button. Before you start to panic too much about the state of your data, perhaps you should see this is an opportunity to clean up how you use, store and handle your data.
Let’s look at this from a glass half-full perspective, rather than half-empty. Is it not better to have a focused list of 2,000 customers who have opted-in and that you know are interested in your park rather than your old list of 10,000-20,000 where only a very small percentage actually engage with your park? If a large chunk of this group don’t respond or, more importantly, book, then what is the point of them being on your list? After all it’s costing you to send them material….
What should I do next?
There are five steps we feel you should take immediately – don’t wait until May!
1. Data cleansing: Take a close look at all the data you hold. Go through your database and remove those who haven’t engaged with you in the last five years – chances are they never will.
2. Re-communicate: Email people on your data base asking them if they want to opt-in, followed by a reminder to those who don’t respond a few weeks later. Those who still don’t opt-in should be removed.
3. Segmenting and targeting: Those who do opt-in should be segmented for better targeting campaigns in future and not all lumped into one pot. Separate out your touring from your camping guests and your lodges from your caravans. This will allow you to send more specific campaigns in future.
4. Get your website ready: Go through your website to check your compliance – are forms pre-checked with the sign-up box ticked, is the wording on those forms deliberately misleading to get people to sign-up, are there clear links on those forms to cookie policies and data protection policies?
One thing GDPR makes abundantly clear is that your consent has to be provable. By keeping a clear record of the subscribers who do opt-in you will be able to prove your consent if you need to (which could save you a LOT of money).
How else could GDPR effect my holiday park?
- Look at where you store your data: Technical and security systems must be up to date, secure and must also include back-up facilities. What happens if there is a security breach? Is your data encrypted?
- If you use a marketing company, for example to send and receive emails on your behalf, then there must be a data processing agreement put in place which requires the contractor to comply with GDPR
- You will have to keep records of data processing activities – i.e. dates and times at which you amended, moved, updated your data.
- People may be able to request copies of all the data you hold on them – and asked for all personal data to be erased and so forgotten once no longer required.
- You will have 72 hours to report any data break to the Information Commissioner’s Office and to every subject whose data was breached.