AI Strategy Template for Destination Organisations
This is a template document. All text in [square brackets] must be completed by your organisation. This template does not constitute legal advice. Review with your legal counsel before formal adoption.
1. Document header
Title: AI Strategy for [Organisation Name]
Complete the following control fields before adoption:
- Organisation name: [Organisation name]
- Approved by: [Board / leadership title]
- Date of approval: [Date]
- Review date (recommended: annual): [Date]
- Version number: [e.g. 1.0]
- Document owner: [Job title responsible for this document]
Purpose statement
This strategy sets out [Organisation Name]'s approach to the adoption, governance, and ethical use of artificial intelligence tools and systems. It applies to all staff, contractors, and partners acting on behalf of the organisation. It is a living document, reviewed annually and updated in response to changes in technology, regulation, and organisational practice.
2. Strategic context
2.1 Why this strategy exists
AI tools are increasingly available to destination management organisations for functions including content creation, data analysis, visitor engagement, translation, financial planning, and administrative automation. Without a defined strategy, AI adoption is likely to be fragmented, inconsistent, and potentially non-compliant with data protection and emerging AI regulation. This strategy provides a coherent framework for responsible adoption.
2.2 Regulatory context
This strategy is written with reference to the principal regulations that apply to AI use by organisations operating in or marketing to the European Union:
- EU AI Act (Regulation 2024/1689/EU, in force August 2024) — classifies AI systems by risk level (unacceptable, high, limited, and minimal) and imposes obligations on the deployers of high-risk systems, including risk management, human oversight, transparency, and record-keeping.
- EU General Data Protection Regulation (GDPR, Regulation 2016/679/EU) — governs how personal data may be collected, processed, and shared, including where personal data is processed by AI systems.
- Data Protection Impact Assessment (DPIA) — required where AI tools process personal data at scale or are likely to result in a high risk to the rights and freedoms of individuals.
Note: Organisations outside the EU should identify the equivalent regulatory framework in their jurisdiction and adapt this section accordingly.
2.3 Organisational context
[Brief description of the organisation's size, structure, primary functions, and the markets or destinations it serves. Note the organisation's existing digital maturity and any relevant prior experience with data-driven tools.]
3. Vision and principles
Vision statement
[Organisation Name] will use artificial intelligence to improve the quality, efficiency, and reach of its work, while maintaining human oversight of all decisions that affect stakeholders, partners, visitors, or staff. AI will support human judgement, not replace it.
Governing principles
Principle 1 — Human oversight
All AI-generated outputs that are published, shared externally, or used in decision-making must be reviewed and approved by a named staff member before use. No AI output may be published or acted upon without human review.
Principle 2 — Data minimisation
AI tools will only be given access to the data they require for the specific task. Staff must not share sensitive, personal, or confidential data with external AI systems unless a data processing agreement is in place and the sharing is necessary for a defined organisational purpose.
Principle 3 — Transparency
Where AI tools are used to create content that will be published or shared externally, the organisation will maintain an internal record of AI involvement. Where disclosure to external parties is required by law or regulation, it will be provided.
Principle 4 — Accountability
A named individual holds responsibility for AI governance within the organisation. This role is defined in the organisation's operational governance documents. In small organisations this may be the CEO or director. In larger organisations a dedicated role or working group is recommended.
Principle 5 — Non-discrimination
AI tools selected and used by the organisation must not produce outputs that discriminate on the basis of nationality, ethnicity, gender, age, disability, religion, or any other protected characteristic. Where bias is detected in an AI tool's outputs, use of that tool for the relevant function must be suspended pending review.
Principle 6 — Continuous review
This strategy and the organisation's AI tool inventory will be reviewed at least annually. Reviews will assess whether tools in use remain appropriate, whether new regulatory requirements have emerged, and whether the organisation's AI maturity has developed sufficiently to expand or restrict permitted use cases.
4. Permitted and restricted use cases
Table A — Permitted use cases
| Function | Permitted AI uses | Conditions and limitations |
|---|---|---|
| Content creation | Drafting marketing copy, social media posts, website text, translated content | All outputs require human review before publication. AI must not be used to fabricate quotes, statistics, or visitor testimonials. |
| Data analysis | Processing visitor statistics, identifying demand patterns, analysing survey results | Only anonymised or aggregated data may be used. Personal data must not be uploaded to external AI systems without a DPA. |
| Administrative tasks | Drafting internal documents, meeting summaries, correspondence templates | Outputs must be reviewed before sending. Confidential information must not be shared with external AI systems. |
| Translation | Translating marketing materials, website content, partner communications | Human review required for all published translations. Legal or contractual documents must not be translated by AI without professional verification. |
| Research and monitoring | Summarising reports, monitoring media mentions, identifying competitor activity | Sources must be verified independently. AI summaries must not be cited as primary sources in official documents. |
| Visitor-facing tools | Chatbots, recommendation engines, multilingual support tools | Visitors must be informed they are interacting with an automated system. A human escalation path must be available. |
| Financial and operational planning | Budget modelling, demand forecasting, resource allocation support | AI outputs are advisory only. Final decisions rest with named budget holders. |
Table B — Restricted and prohibited use cases
| Use case | Status | Reason |
|---|---|---|
| Automated decision-making affecting individuals (e.g. staff, applicants) | Prohibited | GDPR Article 22 and EU AI Act high-risk classification |
| Processing of special category personal data (health, ethnicity, religion, political opinion) | Prohibited | GDPR Article 9; requires explicit legal basis not typically available to DMOs |
| Generating visitor images depicting real individuals without consent | Prohibited | GDPR and image rights obligations |
| Publishing AI-generated content without human review | Prohibited | Organisational policy; reputational and accuracy risk |
| Sharing partner or stakeholder confidential data with AI systems | Prohibited unless DPA in place | GDPR data controller obligations |
| Using AI for cybersecurity surveillance of staff or visitors | Prohibited | EU AI Act prohibited practice category |
| Fully automated social media posting with no human approval | Restricted | Permitted only with post-publication review process and clear rollback procedure |
5. Data classification and AI access rules
Data classification determines which data may be shared with AI systems and under what conditions. Before any data is provided to an AI tool, staff must identify its classification level below and apply the corresponding access rule.
| Level | Definition | Examples | AI access |
|---|---|---|---|
| Level 1 — Public data | Information already published or intended for public release. | Website content, published statistics, press releases, destination marketing materials. | Permitted for all approved AI tools with no restriction. |
| Level 2 — Internal operational data | Internal documents not intended for public release but containing no personal or sensitive data. | Internal reports, meeting agendas, draft strategies, operational plans. | Permitted for internal AI tools only. Must not be uploaded to external AI platforms without leadership approval. |
| Level 3 — Partner and stakeholder data | Information shared by partner organisations, suppliers, or funders under an expectation of confidentiality. | Partner financial data, joint strategy documents, commercial agreements. | Restricted. Requires explicit approval from the data owner and a data processing agreement with the AI vendor. |
| Level 4 — Personal data | Any information relating to an identified or identifiable natural person as defined under GDPR. | Staff records, visitor survey responses linked to individuals, contact lists, event registration data. | Prohibited in external AI systems unless a GDPR-compliant DPA is in place and the processing has a defined legal basis. |
| Level 5 — Sensitive and confidential data | Data whose disclosure would create legal, financial, reputational, or regulatory risk. | Unpublished financial data, board deliberations, legal correspondence, special category personal data. | Prohibited in all AI systems except those hosted entirely within the organisation's own controlled infrastructure. |
6. Approved AI tool inventory
The following AI tools are approved for use within the organisation as of [review date]. All tools have been assessed against the criteria in Section 7. New tools must be assessed and approved before use.
| Tool name | Primary function | Approved for | Data classification limit | DPA in place | Review date | Approved by |
|---|---|---|---|---|---|---|
| [AI writing tool] | Content drafting | Marketing and communications | Level 2 maximum | [Yes/No/Required] | [Date] | [Name/role] |
| [ ] | [ ] | [ ] | [ ] | [ ] | [ ] | [ ] |
| [ ] | [ ] | [ ] | [ ] | [ ] | [ ] | [ ] |
| [ ] | [ ] | [ ] | [ ] | [ ] | [ ] | [ ] |
| [ ] | [ ] | [ ] | [ ] | [ ] | [ ] | [ ] |
| [ ] | [ ] | [ ] | [ ] | [ ] | [ ] | [ ] |
7. Vendor assessment criteria
Before adopting any new AI tool, the organisation will assess it against the following criteria. Tools that do not meet the minimum standard in a required category will not be adopted until the deficiency is resolved.
Data and privacy
- Does the vendor have a published privacy policy that is GDPR-compliant?
- Is a data processing agreement available?
- Is data used to train the vendor's models, and if so, can this be opted out of?
- Where is data stored, and is it stored within the EEA?
- What is the vendor's data retention and deletion policy?
Governance and transparency
- Does the vendor publish information about how the AI system works?
- Is there a human escalation path for errors or harmful outputs?
- Has the vendor published an AI ethics policy or responsible AI commitment?
- Is the vendor subject to the EU AI Act, and if so, what risk category does the system fall into?
Operational and commercial
- What is the total cost of ownership including training, integration, and ongoing maintenance?
- What happens to the organisation's data if the vendor ceases trading or is acquired?
- Is the tool accessible to staff with varying levels of digital literacy?
- Is training or onboarding support provided?
8. Staff obligations and training
8.1 All staff
- Read and confirm understanding of this strategy on adoption and at each annual review.
- Use only approved AI tools for organisational tasks.
- Apply data classification rules before sharing any data with an AI system.
- Report suspected misuse, errors, or unexpected outputs to the AI governance lead.
- Never publish or share AI-generated outputs without human review.
8.2 AI governance lead
- Maintain the approved tool inventory and conduct annual review.
- Assess new tool requests against vendor criteria in Section 7.
- Maintain records of DPAs and data processing agreements.
- Report to leadership on AI governance at least annually.
- Coordinate staff training on AI use and this strategy.
8.3 Training requirements
Minimum training requirement: all staff using AI tools must complete an induction covering this strategy, data classification rules, and the permitted/restricted use case framework before using any approved AI tool.
[Organisation to specify: training format, provider, and frequency of refresher training.]
9. Implementation roadmap
Phase 1 — Foundation (Months 1–3)
Tasks: Adopt this strategy at board or leadership level. Name the AI governance lead. Complete the approved tool inventory for tools already in use. Assess current tools against vendor criteria and identify any compliance gaps. Brief all staff on this strategy.
Scale note: Small DMOs (under 10 staff) may complete this phase in four to six weeks. Large DMOs (over 50 staff) with multiple departments should allow the full three months. Mid-size DMOs (10–50 staff) should plan for the full quarter if multiple teams are involved.
Phase 2 — Compliance (Months 3–6)
Tasks: Resolve any compliance gaps identified in Phase 1. Put DPAs in place for all tools processing personal data. Conduct Data Protection Impact Assessments where required. Complete minimum staff training. Establish a review calendar for annual governance checks.
Scale note: Small DMOs may combine the DPIA and DPA steps into a single review; larger DMOs should run them per department or data domain.
Phase 3 — Expansion (Months 6–12)
Tasks: Identify additional AI use cases that align with permitted categories and organisational priorities. Assess candidate tools using vendor criteria. Pilot new tools with defined success metrics. Report on AI adoption to leadership or board.
Scale note: Large DMOs should pilot in a single department before organisation-wide rollout; small DMOs can pilot organisation-wide given their scale.
Phase 4 — Optimisation (Year 2 onwards)
Tasks: Annual review of strategy and tool inventory. Update in response to regulatory developments, particularly EU AI Act implementation milestones. Participate in peer-network learning on AI governance in the DMO sector. Consider publishing a transparency statement on AI use for external stakeholders.
10. Review and amendment
This strategy will be reviewed by [AI governance lead role] annually, with a report presented to [board/leadership body] no later than [month] each year. Interim amendments may be made by [AI governance lead role] in response to significant regulatory changes, subject to ratification at the next scheduled review.
Amendment log
| Version | Date | Amendment description | Approved by |
|---|---|---|---|
| [ ] | [ ] | [ ] | [ ] |
11. Related documents
This strategy should be maintained alongside the following related documents. Link or reference each from your organisation's document management system:
- Data Protection Policy
- GDPR Privacy Notice
- Acceptable Use Policy (IT)
- Procurement Policy
- Staff Code of Conduct
- [Any sector-specific governance framework applicable to the organisation]