March 26, 2018 · Stuart Butler

Fuel Hotel Marketing Podcast: Episode 82 – What Hotels Need To Know About GDPR Before It’s Too Late

In this episode, we dig into all things GDPR and try to lay out exactly what you need to know and do prior to the May 25th deadline. There’s a lot of information and misinformation floating around about GDPR and we try to cut through the noise and break it all down Fueligan style.

Subscribe to the Fuel Hotel Marketing Podcast on iTunes Listen to the Fuel Hotel Marketing Podcast on Soundcloud Listen to the Fuel Hotel Marketing Podcast on StitcherGoogle-play-logo
If you like what you hear, please leave a comment below, share it with your friends, and also leave a review.

What is GDPR?

The General Data Protection Regulation (GDPR) is the new law regulating how companies handle and protect personal data of citizens of the European Union.

When Will GDPR take effect?

GDPR becomes enforceable from 25 May, 2018 and your hotel should be compliant before that date.

Who is subject to GDPR Compliance?

Any property or company that markets goods or services to EU residents, regardless of its location, is subject to the regulation. While GDPR doesn’t actually cover EU citizen’s interactions when they are outside of the EU, if the EU citizen books their stay from a location within the EU, then the data is covered under GDPR. As a result, GDPR compliance is required by every hotel or management group that allows EU citizens to book at their property.

What happens if my hotel doesn’t comply with GDPR?

Hotels that fail to achieve GDPR compliance before the deadline may be subject to stiff penalties and fines.  Depending on the nature of the violation, the penalties for GDPR non-compliance, which can be up to 4% of the violating company’s global annual revenue or 20 million Euros (whichever is greater). Much like the current regulations under the existing Data Protection Directive, the reality is that most companies who are found to be in violation will be instructed to rectify the situation without initially incurring fines. However, it’s certainly not worth the risk.

What are the GDPR requirements?

The data protection and privacy requirements of GDPR contain 11 chapters and 91 articles.The specific requirements depend on whether you are a data controller or a data processor. The most impactful rules for the majority of hotels relate to the following:

  • Requiring the guests explicitly consent to data collection and processing
  • Clearly informing the guests of what’s being collected, what it’s used for, who it’s used by, and how long it’s going to be stored
  • Clearly informing the guests of their rights related to their data and providing them with a method to request copies of their data or to have their data removed at any time.
  • Safely handling the transfer of data across borders and between companies
  • Providing notifications of data breaches via specific channels and within specific timeframes
  • Anonymizing data to protect the guest’s privacy
  • Not using the data to preferentially serve segments of your database. I.e. no special rates for people from EU.
  • Some companies are also required to appoint a data protection officer to oversee GDPR compliance. Specifically, this impacts any company that processes data revealing a subject’s genetic data, health, racial or ethnic origin, religious beliefs, etc. and therefore will not impact the majority of hotels. However, there are a few things you need to be aware that could impact hotels and you should probably avoid storing:
    • Health status – could be disclosed in guest requests for special assistance
    • Religious/political beliefs or trade union membership – could be obtained by attendance to a specific event
    • Racial/ethnic origin – just don’t collect this info, and certainly don’t use it for targeting marketing campaigns.
    • Biometrics – if you happened to use retinal or fingerprint scanners
    • Sexual orientation – not sure how you’d obtain this, but you never know


Is my hotel a data controller or a data processor?

In almost every case, you are likely a data controller because you “control” the data. If you are a flagged property, you may also be considered a joint controller due to the fact that both you and corporate control what happens to the data. According to the guidelines, you are a controller if you decide:

  • To collect data in the first data
  • What data to collect
  • What the purpose of the data is
  • How long to keep the data
  • Whether to disclose the data and if so, who to

You may also be a data processor, but so are many of your technology vendors such as your PMS, your eCRM, your booking engine, etc. Processors typically decide:

  • What technology systems or other methods to use to collect data
  • How to store the personal data
  • The method of transferring data between organizations
  • The method of adherence to the retention schedule
  • The method used to delete the data appropriately.

What questions should I be asking myself about GDPR?

  • What personal data do we collect or store?
  • Did we obtain the data appropriately and did we have the necessary consent?
  • Did we clearly and unambiguously inform the subject of the specific purpose for which we’ll use their data?
  • Were they informed of their right to withdraw consent at any time?
  • Are we reviewing our data to ensure that we aren’t holding it for any longer than is necessary?
  • Are we keeping the data secure by using a level of security appropriate to the risk?
  • Are we ensuring that staff only have access to the data that is required for a specific purpose?
  • Are we transferring the data to any third-parties and if so, do we have adequate protections in place?
  • What measures are my legal team and my insurance companies going to require of me?

Does the data need to be encrypted?

This is the most ambiguous part of the GDPR regulations. It’s going to be a decision you have to make based on your specific risk factors and your legal team’s requirements. If you only have a nominal number of EU guests, it may not be worth the extra time and cost to you. However, it should probably be a consideration for everyone. Hopefully, your vendors will handle this piece on your behalf.
Article 32 of the GDPR gives the following recommendations but none are requirements:

  1. The pseudonymisation (obscuring the identities) and encryption of personal data
  2. The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services
  3. The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
  4. A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

Hotel GDPR Checklist:

1. Designate someone as your Data Protection Officer

Even though this isn’t necessarily a requirement, it’s still important to have someone on-staff or an external contractor that understands the ins and outs of GDPR and can ensure that you are compliant. If you don’t have someone on staff that has the knowledge or the time to invest, we strongly recommend that you contract a third-party expert to perform a data compliance audit.

2. Map out your inbound and outbound data flow

It’s important that you understand the data that your collecting and sharing. Start out by mapping it and discussing how the data is collected, what data you actually need and what data is no longer necessary. This can reduce your risk tremendously.

3, Clean your current data

Take the time to mark the data you have and understand all of those individuals that could possibly have provided information while in the EU. Reach out to those individuals and gain explicit consent for continuing to hold and use their data. DO THIS BEFORE MAY 25th, If you don’t, you’ll have to delete them from your database for ever.

4. Update your internal policy manuals

Every staff member who may potentially collect or process guest data,  should be aware of GDPR and its implications but more importantly, they should be trained to handle and use guest data appropriately and respectfully at all times.

5. Update your privacy policies

There are many online templates that can help you craft a compliant privacy policy, the biggest thing to note is that the language used should be clear and should avoid legaleze. At a minimum, your privacy policy should include:

    • What personal information you collect
    • How and why you collect the data
    • How you use the data
    • How you secure the data
    • Any third parties with access to the data and their purpose for doing so
    • If you use cookies and why
    • How users can control any aspects of their data – see the 8 user rights under GDPR
    • Who the data controller is and their contact information
    • Whether or not you use the data to make automated decisions
    • What’s your legal basis for transfering data. – here’s the breakdown of the 6 lawful reasons for processing data under GDPR


6. Update your data collection processes

Online: You should consider moving to a double opt-in strategy for all online data acquisition. If you’re not ready for that, at the very least, you should make it clear why someone is signing up, what you intend to do with the data, and how long you will keep it for. In addition, you should document all relevant information pertaining to the signup, including date/time, ip address, method, etc, and you should require them to check a box to indicate that they understand the privacy policy, which should be clearly defined right where they are signing up from.
Offline: Also, at check-in, you should explicitly and clearly tell every guest what data you’re collecting, why you’re collecting it, what you’re using it for, and how long you’re keeping it for. You should also tell them that they can opt-out at any time. You should then obtain explicit consent from them at this time.

7. Have a data breach policy

In the event of a data breach, you must have a process by which you notify the supervisory authority within 72 hours and you must also notify the affected individuals and provide information related to the steps you have taken to remedy the situation.

8. Create methods for guests to modify and/remove their data

In the event that a guest asks for a record of all of their data, it must be provided in a standardized format within 30 days of the request. The guest may also ask that you remove their data and you must do so, unless legally required to do otherwize.

9. Ensure that any joint controllers and authorized data processors are in compliance

As a data controller, you are ultimately responsible for your data and you will need to ensure that your joint controllers and data processors are adhering to the GDPR regulations and you should update your contracts accordingly with joint controllers and obtain a data processing agreement (DPA)  from any processor vendors.

10. Seek legal council if you are concerned

Even with a designated data officer to oversee your compliance, it may still be a good idea to seek legal council to review your situation and especially your contracts.

11. Test the process thoroughly

Go through the process of providing your own data to your organization and ensure that everything is functioning as it should and that the data is being used appropriately and that you can modify, limit use of, and remove your data at any time.

Where can I find more information about GDPR

Simple google searches for ‘GDPR for hotels’ will provide plenty of nighttime reading. In addition, HTNG recently published a whitepaper and self-assessment for hotels that is very useful. Go here and click on ‘Applicable to most software systems’, then select ‘GDPR for Hospitality’ to download a zip file. If you are unsure about GDPR, then we strongly recommend that you hire an expert to help you through the process.
Hotelier Wishes
Kris Altman

  • Would love to have a booking tool available to independent hotels (similar to the airlines) that overlays room rates on top of a hotel floor plan allowing a user to book the exact room they want. …. that and a room full of monkeys to execute on every little thing marketing has to touch. 🙂

In The Newsies
Google Allowing Business to Remarket to YouTube users
Follow Us on Twitter:


Submit your questions and topic ideas on Twitter to @_travelboom.[/vc_column_text]

Share via
Copy link