GDPR - What is it and what do you need to do?

By on

GDPR. No, it’s not just another buzzword that’s afloat on the internet. Everyone with a website needs to pay attention!

What is GDPR?

GDPR stands for General Data Protection Regulation and it goes into effect internationally on the 25th of May 2018. GDPR is an updated version of the Data Protection Directive that has been in effect since 1995. In the simplest terms, it boils down to protecting the rights of people who give you their personal data.

What personal data you may be collecting?

If you have Google Analytics, videos played on your site from YouTube, an e-commerce function that collects billing information and other features that load automatically on your site via “cookies” then you are collecting personal data.

GDPR does not only affect your business and your website but also any 3rd party providers, which in the travel industry means your booking engine provider also.

Be sure to check that they already changed and adjusted to the GDPR. This should be accessible via your contract with your provider and/or on their website’s privacy policy.

Since they act as a data processor, they will need to have appropriate security measures in place and notify you of any breaches that happen.



Who does GDPR apply to?

The biggest misconception about GDPR is that you only need to be compliant if you run a business out of one of the EU member states. It actually applies to any business that does one of the following:

  • Actively offer products or services to EU residents
  • Collect personal data, including pseudonyms, from citizens of the EU

So whether you’re a business based in New Zealand or the US, you are required to comply with the GDPR. In essence, any business that has a website should be concerned about this law as you really can’t control who visits your website.

For those in the travel industry, compliance becomes even more crucial. The UK alone makes up 7% of New Zealand’s past inbound travelers and there’s a total of 6.8 million active considerers – people who consider coming to New Zealand for their next holiday. This is a potentially large market for any travel business based in New Zealand with an audience that is concerned about how their personal data is being collected.

What you need to do

Now let’s drill down into what you need to be doing so your site to ensure compliance:


If you don’t have this yet, it is the first thing that you need to do. We recommend writing your privacy policy in accordance to Article 12 of the GDPR which shows that you process personal data in a way that is transparent, concise, intelligible and easily accessible. In other words, try to explain in plain English:

  • What data you are collecting
  • How you collect the data
  • What it will be used for
  • How you secure it
  • Any third parties that will have access to it
  • What your cookie policy is and what cookies are loaded on your site
  • Controls that the user can have over this data collection

We highly recommend adding your privacy and cookie policy to the footer of your website and linking it to any opt-in you have on the site.

A simple Google search will provide a number of free privacy policy templates that are available. However, should you choose this option we recommend due diligence to ensure that it complies with Article 12 of GDPR and/or seek legal advice. 


If you are collecting names or emails and/or if you have Google Analytics you are collecting data and using “cookies.”

Cookies are small files that are automatically dropped on your computer as you browse the web. Cookies themselves are harmless bits of text that are locally stored and can easily be viewed and deleted. But cookies can give a great deal of insight into your activity and preferences which can be used to identify you without your explicit consent.

There could also be other 3rd party systems like social media integrations added to your website that can gather data and they may also use Cookies to gather this data.

Under GDPR, you must advise website users that you are using Cookies and what your Cookie policy is. You have probably already seen the warning over the last year on sites.

Another consent mechanism to be aware of is your newsletter signups: that opt-in box that already has a check. Well, in the new world of GDPR compliance, that is a big no-no. Think Active Opt-in. The concept of consent under the GDPR gives importance to consent is freely given, specific and informed. So before you start collecting any information make sure the consent is clear, affirmative and explicit.


Make sure you have appropriate security measures in place for the data you store, process and keep written records of the personal data processing activities you carry out. Only keep the personal data for as long as it is necessary.  How you and your staff handle personal data in your everyday business activity must be controlled and protected.

Next Steps

If you are not yet working towards GDPR compliance, the time to do so is NOW.

There are big penalties that come with non-compliance.

Read more articles

Industry Leaders on Nationwide Workshop Road Trip to Reconnect & Support Industry

By   |  


Tomahawk along with the Bed & Breakfast Association of NZ are hitting the road on a 10-stop series of workshops to help accommodation providers across New Zealand be best prepared for the new international traveller. 


Four Steps to great reviews on Google

By   |  

For many years the primary focus for building reviews for tourism businesses has been with Tripadvisor listings. However the ways in which travellers now access information and reviews about your tourism business has evolved.

Read more