With the compliance deadline from May 25, 2018, it’s now under 40 days until GDPR, or the General Data Protection Regulation comes into force. And though it’s a European Union law, it is likely that hotels around the world will be touched by it.

Here is some insight into readying your hotel for the biggest change to data protection in the EU for over two decades.


What is GDPR?

The EU’s General Data Protection Regulation (GDPR) is the conclusion of four years of determinations to update data protection for the twenty-first century, in which people regularly allowance permissions to use their personal information for a variety of reasons in exchange for ‘free’ services.


In the UK, General Data Protection Regulation (GDPR) will replace the Data Protection back to 1998, which was brought into regulation as a system to implement the 1995 EU Data Protection Directive. GDPR seeks to give people more control when organizations use their data and introduced big penalties for organizations that fail to comply with the rules, and for those that suffer data breaches. It also makes sure that data protection law is identical across the EU.



Let’s start, to what General Data Protection Regulation (GDPR)  is and why it matters for hotels. Rehash, it’s new rule designed to support data protection rules across the EU and appropriate with the digital world these days. It will make much clearer about what data they collect and why.

Hotels are likely to be considered a ‘data controller’ under GDPR, which means you determine the purposes and means of processing personal data. That comes with obligations as to contracts with ‘data processors’, which are responsible for processing personal data on behalf of a controller.


For all that an EU law, GDPR may relate to businesses outside the EU for goods or services to individuals in the region. Failure to obey risks a penalty of up to 4% of worldwide revenue.


Data Mapping

Data mapping allows you to find the information that your organization has and how it transfers from one location to another. By mapping of data, you will be able to review the most effective way of processing data and identify any unexpected and unintended procedures.

A data map should identify the following key aspects :

  • Data items (e.g. names, email addresses, records)
  • Formats (e.g. hard copy forms, online data entry, database)
  • Transfer methods (e.g. post, telephone, internal/external)
  • Locations (e.g. offices, Cloud, third parties)

A data map will be able to see who has access to the data and who is accountable for it. It’s a time consuming and complicated process that requires involvement from teams across your organization. But it’s over this that you can understand exactly how GDPR will trace your business and adapt accordingly.


Contact Third Parties

Hospitality is very interlinked as an industry. Hotels work with any third parties, such as OTAs and booking engines, many of whom could come into contact with its data.

Following the data mapping exercise, you should have a list of these third parties and what data they might encounter. Identify how they plan to address GDPR so you will have the whole image of your obligations. Should be your responsibility to make sure that the third parties you work with are GDPR-compliant.

Let’s say for an example if you use Booking.com as a customer, inputs your details and some of your details are automatically sent to the hotel. In this situation, the traveler has no interaction with the hotel until they arrive and check-in. So as a hotel, what you really need to make sure of is that at the time of Booking.com collecting that data on your behalf, it has been made based on the customer that the data will conduct to the hotel and be directed by the hotel’s privacy policy.


Update Your Privacy Policy

While the EU General Data Protection Regulation (GDPR) getting more intense in May 2018, European regulators are still making progress about guidance and member states are still adopting legislation to accommodate national differences. It is uncertain how they prepare for the GDPR related to some issues. For other issues, companies can confidently act now and will help from doing it.

Your existing policy, which must show a lawful basis for processing data. It must describe where you are using data under compliance, or use it for genuine business purposes, or to make a contract with a data subject, or in other ways such as to carry out legal and regulatory obligation.


Communications Strategy

One of the core values of GDPR is that consumers will be much more aware of how their information is being used. It’s essential therefore that you communicate any changes you expect to make under GDPR to your client base. Perhaps you’ll email your guests or use your loyalty scheme to post a notice.
Much like the data mapping exercise, consider all the ways in which you speak with your customers and what might be the most appropriate method of explaining your GDPR plans, for example, in an email asking existing contacts to confirm their subscription, or posting a notice to loyalty scheme members.
Setting this out in a comprehensive communications strategy is strongly advised to ensure you’re covering all your bases.


Incident Response Plan

Under GDPR, we must all be ready to deal with any potential personal data breaches. The rules situation that if you use a ‘data processor’, for example, an OTA or channel manager, and it suffers a breach, you’re required to take steps to address it.

In some cases, there is a 72-hour time limit to notify authorities of a breach and provide information, so the plan must be tested to ensure it can meet that deadline.


What is Compliance?

Given the full environment of the changes coming under GDPR, it is no surprise that there is a feeling of confusion in some circles about the capability to be compliant by May.

But listening to professionals, it seems there is a credit among authorities that organizing a business for GDPR is a sizeable task and there will be leeway if you can demonstrate to both authorities and customers that you are doing your utmost to comply. What won’t be tolerated however is flagrant and willful breaches of the law.


Data Protection Outside the EU

Of course, GDPR is not the only data protection system around. Countries around the world have their own rules and in an ideal world, hotels would have a privacy context that takes into account all the relevant regulations.








Lily McIlwain (19 April 2018) : GDPR: The Checklist.

Retrieved from. https://ehotelier.com/insights/2018/04/19/gdpr-checklist-hotels/

Joe Curtis (12 April 2018) : What is GDPR? Everything you need to know before the 2018 deadline

Retrieved from. http://www.itpro.co.uk/it-legislation/27814/what-is-gdpr-everything-you-need-to-know