What impact will GDPR have on the hotel industry?

When it comes to data security, there are few sectors as vulnerable to threats as the hotel industry.  With customers handing over card payment details and personal information on a daily basis, it is no surprise that the industry accounted for the second largest share of security breaches in 2016.  Now that the enforcement deadline for the General Data Protection Regulation (GDPR) is looming closer, hotels are facing a greater incentive to upgrade their data protection processes, or face the risk of severe financial penalties.

What is GDPR?

GDPR is a regulation to strengthen and unify data protection for individuals within the European Union. The GDPR was first published by the European Commission in January 2012, and following four years of negotiations, it was adopted in April 2016. The regulation is set to replace the existing Data Protection Directive, and following a two year implementation period, it will come into force on May 25th 2018. The introduction of GDPR will signify major changes to data protection law in Europe, as well as harsh penalties for those who do not comply.

First steps to take to adapt to the regulation

One of the first issues a hotel needs to tackle is that of data discovery. Hotels receive payment card details through email, fax, phone and their website, and this data is often stored on multiple platforms. When the company is aware of where this information is stored, it can then begin processing the information to protect it, and decide how they wish to monitor it moving forward.

Secondly, hoteliers need to adapt their website. The organisation must have access to data they are holding, as well as having the ability to change or delete this data. They must also ensure that they can prove to relevant authorities their use of system activity logs in order to track and oversee access to their network’s resources.

Hoteliers should become more wary of their third-party partners, as they can often prove to be a business’s vulnerable point in terms of data protection. A major change due to GDPR is that data processors are captured by the regulations as well as data controllers. This means that if a hotel, as a data controller, is outsourcing the process of data to a third party who is not complying with GDPR regulations, the hotel will still be held responsible if a breach occurs.

In order for a business to comply effectively with the regulation, it is important to ensure that all relevant staff members within the organisation have a thorough understanding of the implications of the regulation and have received appropriate training.

Under GDPR, if your hotel is targeted by a security breach, you must report the breach to regulatory authorities and all stakeholders within 72 hours of its discovery.

GDPR will also apply to non-EU countries

Despite the fact that this is an EU regulation, GDPR will apply to any organisation that is processing or holding EU personal data, regardless of the location in which they are situated.

Given the large uncertainty surrounding Brexit, the regulation may cause some confusion for British companies who do not hold any EU data or do not operate their business overseas. However, the British government announced in December 2016 that all UK companies will need to comply with the regulations regardless of Britain exiting the EU.

Email marketing

With the majority of hotels relying on emails as one of their main forms of marketing, the introduction of GDPR will signify a major inconvenience for their marketing strategy. This regulation states that customers will now have to opt-in to an email marketing service, as opposed to the current opt-out system.

Hotels must be able to prove that their audience have given consent for their data to be used for marketing purposes, and must also specify which data they wish to be used. If a list of potential customers has been purchased, the hotelier must also receive documentation that proves that consent has been given for the data to be used.

Hotels should start complying as soon as possible

It is vital that organisations do not underestimate how great a task it is to adapt to the GDPR regulations. They must start complying with the regulations as soon as possible in order to ensure that they are prepared for the enforcement date of May 25th 2018.

However, according to Geoff Milton, Security Strategist at ShieldQ, many hotels in the sector are very poorly prepared for the looming deadline.

“Almost all have underestimated the amount of work required to be compliant,” Milton said when speaking to IT Pro Portal. “Furthermore, hotels won’t necessarily share what they are doing, because they may not be doing anything.

“While they may be aware of GDPR’s substantial fines, they may be deterred by what they perceive as the heavy investment involved and the long implementation times.”

The penalties for not complying with GDPR are harsh, at a financial cost of 20 million of 4 per cent of their annual turnover. However, this loss can be easily avoided if the hotel leaves enough time to efficiently adapt to the regulation.


• All businesses must comply with the regulations before the deadline date of May 25th 2018
• GDPR does not only apply to EU countries, but any country handling EU data
• It will also apply to all companies in the UK, despite the aftermath of Brexit
• Data processors are also captured by the regulation
• Email marketing will now be based on an opt-in system

Undoubtedly, adapting your hotel to comply with the new regulations will be a complex task. Once completed, however, the benefits can improve the company’s key performance indicators, and allow them to move forward knowing where all of their confidential information is stored and ensuring that their customers get a secure and satisfying service.

Test for HS

Start your 14 Day Free Trial

Enter your business email to sign-up. UniFi Controller must be online