GDPR for hotel industry

The General Data Protection Regulations has caused quite a stir in the hospitality industry of late. With the deadline for implementation, 25th of May 2018, drawing closer, we thought it would be a good idea to run you through the specifics.

Understanding why?

Living in a data-driven age, where we have access to ample information on various subjects, from the closing stock price of a particular company to scores of the latest game and other tabloid gossip. However, all this information may include individuals names, addresses, bank details and passport information.

In reality, most people would like to retain some control over their personal data to ensure that their data is protected. This is the reason why GDPR is being implemented by the European Union.

You may or may not operate within the European Union, so why is this applicable to you?

The gist is that you need to pay attention to GDPR requirements, if you need to process the personal information of “EU data subjects” (citizens of the EU), offer them goods or services, monitor or track their activities and do business with them.

So where do I start?

For starters you could begin with looking at your organization’s data security and data governance parameters. Before starting to process personal data, sifting through the rights and freedoms of EU data subjects should be a good place to start.

Here are a few of them for your reference:

  1. 1. For an organization like a hotel, that deals with a lot of data, having a dedicated Data Protection Officer is a must.
  2. 2. Pseudonymization is another idea put forth by the GDPR so as to have an encrypted method of tracing data to a particular individual. Thereby, restricting access to unauthorised personnel.
  3. 3. Individuals have the right to request access to any data you may have on them. To be more specific:
    1. How you will use that data?
    2. List of third parties that may have access to it
    3. For how long you will store that data?
    4. Any such request must be responded to, within a month
  4. 4. Data Portability is another right of these subjects, where in they can ask for their information to be transferred to another processor (Competitor).
  5. 5. Right to be forgotten is another area where the individuals can ask you to permanently get rid of data that you have on them. They can also withdraw any consent that they have previously given to you.
  6. 6. Notification of breach entitles you to notify the individuals who have been affected by the breach within 72 hours of its occurrence.

We’ve covered a lot of ground so far, but that’s not to say that the GDPR compliance comes without its challenges. To avoid running into any complications, it’s best that your hotel is prepared for this change. Let’s run you through a few tips to keep your head above the water:

1) Inform your staff: The first thing is to bring everyone up to speed about GDPR and the EU citizens that it affects. Since your staff will be constantly interacting with guests, it’s better that they are aware of how they can handle such situations.

2) A habit of building trust: The first step here could be to let them know that you follow these strict security standards. A certificate of GDPR compliance on your website, and frontdesk is sure to build that first level of trust.

3) Review record policies and procedures: Start documenting the information that flows into your hotel. All this information should be recorded based on:

  1. What data is stored
  2. Where it’s being stored
  3. Where the data comes from
  4. Who all have access to this data
  5. The external parties involved like distribution channels and data providers
  6. And if the guest has agreed to collecting his/her data

4) Informing and asking guests for their consent: TYour guests’ approval on handling their data is one of the key aspects that you must look into. Keeping them informed about how long this data will stay in your possession are all confidence-building measures that will ease the process for you.

5) Understanding their rights: As mentioned above, the rights of the EU citizens is something you must pay heed to. This will help you in gearing towards GDPR compliance. Being prepared does reward you!

6) Handling guest requests regarding privacy rights: Understanding how you help secure the EU citizens’ data is very important. This will enable you to sort out any queries that they may have about the security of their data. This will give you an edge, if there are any complaints raised.

7) Data Breaches: Your hotel must be prepared to handle any data breaches. You must be able to detect the breach and also identify the exact data and whom that data belongs to. A notice of breach must be brought to these individuals’ attention within 72 hours.

8) Checking with third-party service providers: There could be multiple sources that handle guest data

  1. OTAs
  2. GDS
  3. Loyalty Programs

All the above mentioned third-party service providers are connected to your Property Management System/ Central Reservation System. Make sure that they are GDPR compliant as well or it would defeat the purpose.

There’s a lot more to GDPR than the points we just covered, but these should suffice in getting you started. And if you already have, this should assist you in implementing it.

Let us know your views on the subject. If you’d like to understand something more specific about GDPR you could mention it in the comments and we can look into it curating more content on the topic.


  1. GDPR Compliance For Dummies, Informatica Special Edition

This article is originally published in ehotelier.

GDPR for hotel industry