Is Your Hospitality Business Ready For GDPR?

Of course you’ve heard of GDPR, it’s been a hot topic for months. But are you ready for it?

Whether you’re a landlord with one pub, or the owner of a hotel chain, the new regulations will apply to you. So here is a quick guide to the changes and to some of the steps that you should be taking.

 What is GDPR?

The General Data Protection Regulation (GDPR) is the new legal framework that will replace all the current data protection legislation in the EU. It’s a set of guidelines for the collection and processing of personal data, and the aim is to give people more control over their own data. GDPR will supersede the Data Protection Act 1998, and we’ll see tougher penalties for the non-compliance and breaches. GDPR comes in to force on May 25th 2018, so you’ll need to have adequate measures in place by this date.

 Will it apply to my business?

The short answer is ‘yes’.

All businesses must comply if they are involved in the processing of personal data and your hospitality business will hold almost certainly hold personal data such as guest details, credit card information, or an email mailing list.

 What if I’m not ready?

If a complaint is filed against your business, you’re potentially looking at a fine of up to €20m or 4% of your annual global turnover, whichever is the greater. Having said that, the ICO has also stated that “it’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that maximum fines will become the norm”.

It also makes good business sense to demonstrate that you’re compliant with GDPR. Customers value their privacy and want to know that you are respectful of this.

 What do I need to do?

The Information Commissioner has described GDPR as ‘an evolution, not a revolution’. Although it may sound like there will be a lot of work, for most businesses it’s likely to be a case of reviewing, tightening up and enhancing your existing policies and processes. Here are eight steps to help you get on top of GDPR

1.      Review the personal data that you currently hold.

This includes data on both employees and customers. In addition to your paper and online filing systems, you may be holding personal data in:

  •  Booking Engines
  • CRM systems
  • Customer databases
  • Email marketing lists
  • Membership lists
  • Payment processors
  • Social media marketing tools
  •  Website cookies

You need to establish exactly what personal data you are holding, and then document your findings. Make a record of what information you hold, where it came from, where it is stored, who it is shared with, and whether you have obtained consent before collecting it.

During this review, it’s a good idea to shred or securely delete any data that is no longer required.

2.      Make all of your team aware of the changes.

You’ll need buy-in from everyone. Managers need to fully understand GDPR and its impact on their department. Employees should also be trained to comply with the requirements and they also need to know what to do in the event of a personal data breach.

3.      Make your customers aware of the changes

You’ll have an obligation to make customers aware of their rights under GDPR. These rights include:

  • The right of access to their data
  • The right to rectification
  • The right to erase
  • The right to restrict processing
  • The right to transfer their data to another party
  • The right to object
  • The right not to be included in automated marketing initiatives or profiling

You will need to be prepared to handle any questions or requests from guests regarding their rights. You’ll have one month to provide an answer to any queries and you can’t charge a fee for this. If you decide to refuse a request, then you must provide your guest with the reasons for this and also give them the details for the Privacy Commission, so that they are able to file a complaint if they wish to.

In addition, ‘making customers aware’ will probably require you to update documents such as your website privacy policy and your Ts&Cs.

4.      Be aware of the purpose of the data you are collecting.

When you’re capturing guest data it will need to be for a specific reason. For example, if you ask for an email address to send a table booking confirmation, you cannot then automatically add this address to your marketing list.

You also need a lawful reason for collecting any data. It’s a good idea to conduct a review of all the questions you are asking guests (on your booking forms, registration cards, email sign-up forms etc.). Can you justify requesting all of the data? You may need to know their address for billing purposes, but is a date of birth necessary?

5.      Get consent

You must be able to prove that you have been given consent to use data in the manner in which you are using it.  You’ll need to disclose your purpose for collecting the data and how long you intend to keep it for.

You must get a clear opt-in from your customer to receive any communications, rather than presenting them with an option to opt-out.


  • You cannot use any pre-ticked boxes for opting-in on your forms
  • The opt-in must be a positive statement. You can’t ask people to tick ‘if they don’t want to join your list’.
  • For email subscriptions, a double opt-in process is the best method for proving that you have obtained consent. This requires the subscriber to complete and submit an online form. They will then receive a confirmation email asking them to click on a link to verify their email.
  • If your existing email marketing list did not require a double opt-in, it would be wise to reconfirm permission with all those currently on it.
  • Be specific about what communications people are opting in to receive. Is it a weekly update? Special offers? If you have several types of communication, then obtain separate confirmations for each one.
  • Make it very easy to unsubscribe. There should be a clear unsubscribe button on all of your communications.

There’s an additional consent consideration for children under 16. Authorisation to process a minor’s data, for example at a hotel check-in, must obtained from their parents or a responsible adult.

And remember – even if you purchased a mailing list from a third party, it is still your responsibility to ensure that you have consent from those customers to use their data.

6.      Review your data storage processes.

When you’re storing data, the storage method needs to be secure. You should have a company-wide policy in place, and educate your team on how to keep data secure.

Electronic Storage:

  • Audit your systems What data are you storing and where is it being held (CRM system? Excel spreadsheets? Cloud storage?)
  • Who can access this data? Is it secure and accessible only to those who have permission to use it? Is it just your employees, or do you work with suppliers or contractors who also access this data?
  • Do you have permission to store this data? If not, are you going to delete it, or contact the subjects to request consent?
  • Where are the servers for the systems that you use located? Under GDPR businesses will be prohibited from transferring personal data outside of the EU to a country that does not have adequate data protection.  You will need to check where the servers that you are using are based and, if they are outside the EU, consider using the Privacy Shield to ensure compliance. This includes servers located in the US!
  • Encrypt your devices. Although passwords will provide an element of security, only encryption will protect data if your device is lost or stolen. Remember to encrypt devices like external hard drives and mobile phones, as well as laptops and pcs.
  • Protect your devices against viruses. It’s important to invest in good virus protection. Free software generally isn’t going to be adequate, so protect your network and storage systems the latest intrusion detection   programs. For extra security you can conduct penetration testing.
  • Passwords. Create strong passwords (use a mixture of symbols, numbers, upper and lowers cases). Don’t base them of any personal details such as birthdays! Change your passwords regularly and store them in a safe place such as Lastpass.
  • Back-Up your data. Hopefully you’re already backing up your data regularly as it’s good business practice. It’ll be even more important under GDPR because in the event of a data breach, you will have an obligation to inform anyone who has had their data compromised.  If a laptop with a file of personal details has been stolen, you’ll need the back up to establish who has been affected. You can back-up to a hard drive, the cloud or a mixture of both.

7.      Check that your payment processes are compliant

As a hospitality company, you are likely to be accepting card payments every day. A good start is to ensure that you are already compliant with the Payment Card Industry Data Security Standard (PCI DSS). The two standards overlap significantly and complying with PCI DSS will demonstrate that that you are compliant with GDPR.

8.       Data breaches or theft

You need to put a process in place to detect, and remedy any data theft concerning personal data. Any incident should be reported within 72hrs to the Privacy Commission, for all cases where there is a risk that guest data may have been compromised.

This article is based on my interpretation of GDPR and how it will affect the hospitality industry. Please treat it as a guide, rather than gospel!  For the most comprehensive and up-to-date information on GDPR, I recommend looking at the ICO website.

Complying with GDPR may seem a huge task, but it’s a great opportunity to review your processes and systems. It’s also a chance to really think about the data that you’re collecting and how you can use this to add value for your customers. The requirement for consent means that people on your mailing list genuinely want to hear from you, giving you a great platform to develop your relationships and build brand loyalty.

If you’re struggling with your preparations for GDPR, I’d love to meet you for a coffee and a chat about how you can get ready. There is no charge, and no obligation to use any of my services. I can be contacted at