GDPR and the Hotel Industry

GDPR and the Hotel Industry - It’s here so I hope you’re prepared

Lately you’ve received a plethora of emails in your inbox stating “our privacy policy has changed” or “click here so we can stay in touch”. That’s because GDPR will affect every company and industry--especially the hotel industry. After May 25, 2018, companies that process Personally Identifiable Information (PII) have to conform to a number of regulations.


What is GDPR?

The General Data Protection Regulation (GDPR) Law, has been seven years in the making and goes into effect May 25, 2018. The law is a replacement for the 1995 Data Protection Directive, which set minimum processing standards for processing data in the EU, and will significantly change data protection standards in technology, hospitality, advertising, and banking.

For those that hold and process large amounts of consumer data (ie technology firms, marketers, and the data brokers who connect them), failure to  notify GDPR representatives of any security breaches, can result in violation fines of up to 4% of a companies turnover can be imposed.


So how does this affect the hotel industry?

The hotel industry is considered to be one of the most vulnerable to data threats. Hotels receive an exorbitant amount of personal information for guests via daily card transactions through a variety of sources, such as third-party booking systems, point-of-sale systems, concessions, website captures, emails, faxes, phones calls and walk-ins--and store this card payment data in several places.

“GDPR, may be difficult for independent brands and small franchisee’s to navigate, but in tandem with PCI, further demonstrate our ongoing commitment, as hoteliers, to the privacy of our guests ensuring the best experiences while in our care,” states Jason Olea the Director of Information of Technology for the Houstonian Hotel Club and Spa.

It is important that hotels know the location of all of the information they hold, which can be found in places like old email archive files and even hand-written notes at the front desk.

Hotel staff has to be aware of the best GDPR practices and hotel-specific guidelines on how to collect, access, store, use, disclose, and restrict access to personal cardholder data to ensure every guest’s privacy is protected.


How Should your Hotel Create an Implementation Process?

  • The first step is to recognize and inform staff that this data belongs to the guest, not the hotel.

  • Develop and outline the best practices for adhering to the  GDPR guidelines for collecting, storing, and managing guest information.

  • Establish a code of conduct for the hotel staff and define self-regulatory audit questions that can be reviewed quarterly.

  • Review and refine your technical internal processing and retention policies for all detailed and personal information captured on guests.

  • Refine your opt-in language and privacy policy (which confirms guest acknowledgment of the storage of their personal data) so that guests understand they can request the modification or deletion of their information.


Davonne ReavesComment