GDPR: a checklist for hotels

 width=Hospitality is full of acronyms. ADR, PMS, GOPPAR, MICEÉ the list seems endless. But at the moment, there are few more important thanÊGDPR.

With the compliance deadline fromÊMay 25, 2018,Êit’s now under 40 daysÊuntil GDPR, or theÊGeneral Data Protection Regulation, comes into force. And though it’s a European Union law, its likely that hotels around the world will be touched by it.

Here is some insight into readying your hotel for the biggest change to data protection in the EU for over two decades.

GDPR: a recap

First off, let’s revisit what GDPR is and why it matters for hotels. In a nutshell, it’s new legislation designed to align data protection rules across Europe and fit with today’s digital world. It will mean businesses have to beÊmuch clearer about what data they collect and why.

  • eHotelier Essentials Banner
  • APN Solutions Banner

Hotels are likely to be considered aÊÔdata controller’Êunder GDPR, which means you determine the purposes and means of processing personal data. That comes with obligations as to contracts withÊÔdata processors’, which are responsible for processing personal data on behalf of a controller.

Though an EU law, GDPR mayÊapply to businesses outside the EUÊif they offer goods or services to individuals in the region. Failure to comply risks aÊpenalty of up to 4% of worldwide turnover.

Data mapping

The first step on our GDPR journey was to conduct a full audit of the data we collect during the course of our work. Through aÊdata mapping exercise, we determined the following:

  • What data we collect
  • Why we collect it
  • What our intention is for that data
  • The retention policy toward that data

We won’t lie, it’s a time-consuming and complicated process that requires involvement from teams across your organization. But it’s through this that you can understand exactly how GDPR will touch your business and adapt accordingly. Company-wide buy-in to your GDPR preparations is crucial.

“In order to operationalize the GDPR we need to incorporate it into how the organization does business in general,” says Samantha Simms, information law attorney and founder ofÊThe Information Collective. “GDPR compliance must not be standalone; it’s a living piece of law that must form part of the DNA of the company.”

Contact third parties

Hospitality is exceptionally interlinked as an industry. Hotels work with numerous third parties, such as OTAs and booking engines, many of whomÊcould come into contact with its data.

Following the data mapping exercise you should have a list of these third parties and what data they might encounter. Find out how they plan to address GDPR so you have the complete picture of your obligations. It isÊyour responsibilityÊto ensure that the third parties you work with are GDPR-compliant.

You also need to ensure that customers are aware when you’re collecting their data via a third-party site.

“If you think about, for example,, when a customer inputs their details some of those details are automatically sent to the hotel,” says Samantha. “In this situation the traveler has no interaction with the hotel until they arrive at the check-in desk. So as a hotel, what you really need to make sure of is that at the time of collecting that data on your behalf, it has beenÊmade clear to the customer that the data will come over to the hotel and be governed by the hotel’s privacy policy.”

Update your privacy policy

On that note, refreshing yourÊprivacy policyÊis another important early move. According to Samantha, it’s likely that you’ll be looking at an “extensive rewrite” of your existing policy, which must show aÊlawful basisÊfor processing data.

ÒIt must describe where you are using data under consent, or using it for legitimate business purposes, or to perform a contract with a data subject (i.e. customer), or in other ways such as to carry out legal and regulatory obligations,Ó Samantha says.

Once complete, ensure the updated version is published on your website.

Communications strategy

One of the core principles of GDPR is that consumers will be much more aware of how their information is being used. It’s essential therefore that youÊcommunicate any changes you expect to make under GDPR to your client base. Perhaps you’ll email your guests or use your loyalty scheme to post a notice.

Much like the data mapping exercise, consider all the ways in which you speak with your customers and what might be the most appropriate method of explaining your GDPR plans, for example in an email asking existing contacts to confirm their subscription, or posting a notice to loyalty scheme members.

Setting this out in a comprehensive communications strategy is strongly advised to ensure you’re covering all your bases.

Incident response plan

Under GDPR, we must all be prepared to deal with any potentialÊpersonal data breaches. The rules state that if you use a Ôdata processor’, for example an OTA or channel manager, and it suffers a breach, you’re required to take steps to address it.

Samantha’s advice is to have anÊincident response planÊin place. In some cases, there is a 72-hour time limit to notify authorities of a breach and provide information, so the plan must be tested to ensure it can meet that deadline.

Check out theÊICO’s checklistÊfor an idea of what a plan might entail.

What is compliance?

Given the sweeping nature of the changes coming under GDPR, it’s no surprise that there is a feeling of mild panic in some circles about the ability to be compliant by May.

But listening to experts, it seems there is a recognition among authorities that readying a business for GDPR is a sizeable task and there will be leeway if you canÊdemonstrate to both authorities and customers that you are doing your utmost to comply. What won’t be tolerated however is flagrant and wilful breaches of the law.

Data protection outside the EU

Of course, GDPR is not the only data protection regime around. Countries around the world have their own rules and in an ideal world hotels would have aÊprivacy frameworkÊthat takes into account all the relevant regulations.

The good news for anyone getting to grips with GDPR is that the EU legislation has some of the highest standards when it comes to privacy regulations. As Samantha says: ÒYou need to have a robust yet flexible privacy program to handle any changes, but if you put GDPR at its core you can’t go too wrong.Ó

About the author

 width=Lily McIlwain is the Content Manager at Triptease.ÊInterested in finding out more about Triptease and GDPR? Get in touch via the website.

Brand hijacking in the hospitality industry
How to promote your hotel to bleisure travelers