AI Strategy Template for Destination Organisations

This is a template document. All text in [square brackets] must be completed by your organisation. This template does not constitute legal advice. Review with your legal counsel before formal adoption.

1. Document header

Title: AI Strategy for [Organisation Name]

Complete the following control fields before adoption:

  • Organisation name: [Organisation name]
  • Approved by: [Board / leadership title]
  • Date of approval: [Date]
  • Review date (recommended: annual): [Date]
  • Version number: [e.g. 1.0]
  • Document owner: [Job title responsible for this document]

Purpose statement

This strategy sets out [Organisation Name]'s approach to the adoption, governance, and ethical use of artificial intelligence tools and systems. It applies to all staff, contractors, and partners acting on behalf of the organisation. It is a living document, reviewed annually and updated in response to changes in technology, regulation, and organisational practice.

2. Strategic context

2.1 Why this strategy exists

AI tools are increasingly available to destination management organisations for functions including content creation, data analysis, visitor engagement, translation, financial planning, and administrative automation. Without a defined strategy, AI adoption is likely to be fragmented, inconsistent, and potentially non-compliant with data protection and emerging AI regulation. This strategy provides a coherent framework for responsible adoption.

2.2 Regulatory context

This strategy is written with reference to the principal regulations that apply to AI use by organisations operating in or marketing to the European Union:

  • EU AI Act (Regulation 2024/1689/EU, in force August 2024) — classifies AI systems by risk level (unacceptable, high, limited, and minimal) and imposes obligations on the deployers of high-risk systems, including risk management, human oversight, transparency, and record-keeping.
  • EU General Data Protection Regulation (GDPR, Regulation 2016/679/EU) — governs how personal data may be collected, processed, and shared, including where personal data is processed by AI systems.
  • Data Protection Impact Assessment (DPIA) — required where AI tools process personal data at scale or are likely to result in a high risk to the rights and freedoms of individuals.

Note: Organisations outside the EU should identify the equivalent regulatory framework in their jurisdiction and adapt this section accordingly.

2.3 Organisational context

[Brief description of the organisation's size, structure, primary functions, and the markets or destinations it serves. Note the organisation's existing digital maturity and any relevant prior experience with data-driven tools.]

3. Vision and principles

Vision statement

[Organisation Name] will use artificial intelligence to improve the quality, efficiency, and reach of its work, while maintaining human oversight of all decisions that affect stakeholders, partners, visitors, or staff. AI will support human judgement, not replace it.

Governing principles

Principle 1 — Human oversight

All AI-generated outputs that are published, shared externally, or used in decision-making must be reviewed and approved by a named staff member before use. No AI output may be published or acted upon without human review.

Principle 2 — Data minimisation

AI tools will only be given access to the data they require for the specific task. Staff must not share sensitive, personal, or confidential data with external AI systems unless a data processing agreement is in place and the sharing is necessary for a defined organisational purpose.

Principle 3 — Transparency

Where AI tools are used to create content that will be published or shared externally, the organisation will maintain an internal record of AI involvement. Where disclosure to external parties is required by law or regulation, it will be provided.

Principle 4 — Accountability

A named individual holds responsibility for AI governance within the organisation. This role is defined in the organisation's operational governance documents. In small organisations this may be the CEO or director. In larger organisations a dedicated role or working group is recommended.

Principle 5 — Non-discrimination

AI tools selected and used by the organisation must not produce outputs that discriminate on the basis of nationality, ethnicity, gender, age, disability, religion, or any other protected characteristic. Where bias is detected in an AI tool's outputs, use of that tool for the relevant function must be suspended pending review.

Principle 6 — Continuous review

This strategy and the organisation's AI tool inventory will be reviewed at least annually. Reviews will assess whether tools in use remain appropriate, whether new regulatory requirements have emerged, and whether the organisation's AI maturity has developed sufficiently to expand or restrict permitted use cases.

4. Permitted and restricted use cases

Table A — Permitted use cases

FunctionPermitted AI usesConditions and limitations
Content creationDrafting marketing copy, social media posts, website text, translated contentAll outputs require human review before publication. AI must not be used to fabricate quotes, statistics, or visitor testimonials.
Data analysisProcessing visitor statistics, identifying demand patterns, analysing survey resultsOnly anonymised or aggregated data may be used. Personal data must not be uploaded to external AI systems without a DPA.
Administrative tasksDrafting internal documents, meeting summaries, correspondence templatesOutputs must be reviewed before sending. Confidential information must not be shared with external AI systems.
TranslationTranslating marketing materials, website content, partner communicationsHuman review required for all published translations. Legal or contractual documents must not be translated by AI without professional verification.
Research and monitoringSummarising reports, monitoring media mentions, identifying competitor activitySources must be verified independently. AI summaries must not be cited as primary sources in official documents.
Visitor-facing toolsChatbots, recommendation engines, multilingual support toolsVisitors must be informed they are interacting with an automated system. A human escalation path must be available.
Financial and operational planningBudget modelling, demand forecasting, resource allocation supportAI outputs are advisory only. Final decisions rest with named budget holders.

Table B — Restricted and prohibited use cases

Use caseStatusReason
Automated decision-making affecting individuals (e.g. staff, applicants)ProhibitedGDPR Article 22 and EU AI Act high-risk classification
Processing of special category personal data (health, ethnicity, religion, political opinion)ProhibitedGDPR Article 9; requires explicit legal basis not typically available to DMOs
Generating visitor images depicting real individuals without consentProhibitedGDPR and image rights obligations
Publishing AI-generated content without human reviewProhibitedOrganisational policy; reputational and accuracy risk
Sharing partner or stakeholder confidential data with AI systemsProhibited unless DPA in placeGDPR data controller obligations
Using AI for cybersecurity surveillance of staff or visitorsProhibitedEU AI Act prohibited practice category
Fully automated social media posting with no human approvalRestrictedPermitted only with post-publication review process and clear rollback procedure

5. Data classification and AI access rules

Data classification determines which data may be shared with AI systems and under what conditions. Before any data is provided to an AI tool, staff must identify its classification level below and apply the corresponding access rule.

LevelDefinitionExamplesAI access
Level 1 — Public dataInformation already published or intended for public release.Website content, published statistics, press releases, destination marketing materials.Permitted for all approved AI tools with no restriction.
Level 2 — Internal operational dataInternal documents not intended for public release but containing no personal or sensitive data.Internal reports, meeting agendas, draft strategies, operational plans.Permitted for internal AI tools only. Must not be uploaded to external AI platforms without leadership approval.
Level 3 — Partner and stakeholder dataInformation shared by partner organisations, suppliers, or funders under an expectation of confidentiality.Partner financial data, joint strategy documents, commercial agreements.Restricted. Requires explicit approval from the data owner and a data processing agreement with the AI vendor.
Level 4 — Personal dataAny information relating to an identified or identifiable natural person as defined under GDPR.Staff records, visitor survey responses linked to individuals, contact lists, event registration data.Prohibited in external AI systems unless a GDPR-compliant DPA is in place and the processing has a defined legal basis.
Level 5 — Sensitive and confidential dataData whose disclosure would create legal, financial, reputational, or regulatory risk.Unpublished financial data, board deliberations, legal correspondence, special category personal data.Prohibited in all AI systems except those hosted entirely within the organisation's own controlled infrastructure.

6. Approved AI tool inventory

The following AI tools are approved for use within the organisation as of [review date]. All tools have been assessed against the criteria in Section 7. New tools must be assessed and approved before use.

Tool namePrimary functionApproved forData classification limitDPA in placeReview dateApproved by
[AI writing tool]Content draftingMarketing and communicationsLevel 2 maximum[Yes/No/Required][Date][Name/role]
[ ][ ][ ][ ][ ][ ][ ]
[ ][ ][ ][ ][ ][ ][ ]
[ ][ ][ ][ ][ ][ ][ ]
[ ][ ][ ][ ][ ][ ][ ]
[ ][ ][ ][ ][ ][ ][ ]

7. Vendor assessment criteria

Before adopting any new AI tool, the organisation will assess it against the following criteria. Tools that do not meet the minimum standard in a required category will not be adopted until the deficiency is resolved.

Data and privacy

  • Does the vendor have a published privacy policy that is GDPR-compliant?
  • Is a data processing agreement available?
  • Is data used to train the vendor's models, and if so, can this be opted out of?
  • Where is data stored, and is it stored within the EEA?
  • What is the vendor's data retention and deletion policy?

Governance and transparency

  • Does the vendor publish information about how the AI system works?
  • Is there a human escalation path for errors or harmful outputs?
  • Has the vendor published an AI ethics policy or responsible AI commitment?
  • Is the vendor subject to the EU AI Act, and if so, what risk category does the system fall into?

Operational and commercial

  • What is the total cost of ownership including training, integration, and ongoing maintenance?
  • What happens to the organisation's data if the vendor ceases trading or is acquired?
  • Is the tool accessible to staff with varying levels of digital literacy?
  • Is training or onboarding support provided?

8. Staff obligations and training

8.1 All staff

  • Read and confirm understanding of this strategy on adoption and at each annual review.
  • Use only approved AI tools for organisational tasks.
  • Apply data classification rules before sharing any data with an AI system.
  • Report suspected misuse, errors, or unexpected outputs to the AI governance lead.
  • Never publish or share AI-generated outputs without human review.

8.2 AI governance lead

  • Maintain the approved tool inventory and conduct annual review.
  • Assess new tool requests against vendor criteria in Section 7.
  • Maintain records of DPAs and data processing agreements.
  • Report to leadership on AI governance at least annually.
  • Coordinate staff training on AI use and this strategy.

8.3 Training requirements

Minimum training requirement: all staff using AI tools must complete an induction covering this strategy, data classification rules, and the permitted/restricted use case framework before using any approved AI tool.

[Organisation to specify: training format, provider, and frequency of refresher training.]

9. Implementation roadmap

Phase 1 — Foundation (Months 1–3)

Tasks: Adopt this strategy at board or leadership level. Name the AI governance lead. Complete the approved tool inventory for tools already in use. Assess current tools against vendor criteria and identify any compliance gaps. Brief all staff on this strategy.

Scale note: Small DMOs (under 10 staff) may complete this phase in four to six weeks. Large DMOs (over 50 staff) with multiple departments should allow the full three months. Mid-size DMOs (10–50 staff) should plan for the full quarter if multiple teams are involved.

Phase 2 — Compliance (Months 3–6)

Tasks: Resolve any compliance gaps identified in Phase 1. Put DPAs in place for all tools processing personal data. Conduct Data Protection Impact Assessments where required. Complete minimum staff training. Establish a review calendar for annual governance checks.

Scale note: Small DMOs may combine the DPIA and DPA steps into a single review; larger DMOs should run them per department or data domain.

Phase 3 — Expansion (Months 6–12)

Tasks: Identify additional AI use cases that align with permitted categories and organisational priorities. Assess candidate tools using vendor criteria. Pilot new tools with defined success metrics. Report on AI adoption to leadership or board.

Scale note: Large DMOs should pilot in a single department before organisation-wide rollout; small DMOs can pilot organisation-wide given their scale.

Phase 4 — Optimisation (Year 2 onwards)

Tasks: Annual review of strategy and tool inventory. Update in response to regulatory developments, particularly EU AI Act implementation milestones. Participate in peer-network learning on AI governance in the DMO sector. Consider publishing a transparency statement on AI use for external stakeholders.

10. Review and amendment

This strategy will be reviewed by [AI governance lead role] annually, with a report presented to [board/leadership body] no later than [month] each year. Interim amendments may be made by [AI governance lead role] in response to significant regulatory changes, subject to ratification at the next scheduled review.

Amendment log

VersionDateAmendment descriptionApproved by
[ ][ ][ ][ ]

11. Related documents

This strategy should be maintained alongside the following related documents. Link or reference each from your organisation's document management system:

  • Data Protection Policy
  • GDPR Privacy Notice
  • Acceptable Use Policy (IT)
  • Procurement Policy
  • Staff Code of Conduct
  • [Any sector-specific governance framework applicable to the organisation]