Do you know what GDPR will mean for your hotel? The keys.

The way hotels obtain and process personal data is about to change. We explain what GDPR is and why it is important to you.


What is GDPR?

If you haven’t heard about GDPR yet, it’s time to get up to speed. GDPR is an acronym for General Data Protection Regulation, and is a new EU legislation that introduces the biggest changes to data protection in the EU since 1995.

What was there before GDPR?

Prior to GDPR, there was the 1995 EU Data Protection Directive (95/46/EC), a piece of legislation that set an objective for all EU countries without defining the means to achieve this objective. Since then, the world has changed drastically and legislation was needed to establish the new rules for the new digital era.


What is the purpose of GDPR?

Indeed, the aim of the GDPR is to protect all EU citizens in terms of privacy and data breaches in an increasingly digital data-driven world, which differs greatly from the time when the 1995 directive was established. The objective is twofold:

  1. Empower individuals to control their personal data.
  2. Establish a single set of protection rules across the EU.


Does GDPR apply to hotels?

Whether GDPR applies to one’s business is the first question we ask ourselves, right? The answer is YES, as long as your hotel controls or processes personal data of EU citizens. That is, your hotel may not be physically located in the territory of the European Union, but if you have any relationship with the personal data of EU citizens, the new regulation will apply to you as well.

Consider this: if your hotel chain is headquartered in Latin America, but you sell to EU travel agents, you will have to comply with GDPR regulations. If you collect information about the behavior of EU citizens (analyzing tourism trends in Spain, for example), you must comply with GDPR requirements. These two questions will help you find the answer:

    • Do you offer your accommodation and ancillary services to EU citizens?
    • Do you analyze the consumption trends of EU citizens?

If your answer is yes to any of these questions, you need to know all about GDPR and take steps to adjust your processes for the new legislation. The increase in Territorial Scope is one of the biggest changes in the new regulation and greatly increases the impact of GDPR.


Why is the Hotel sector more sensitive to GDPR than many others?

Unlike most industries, the hospitality industry is extremely vulnerable to data security threats. The volume of sensitive personal data and credit card information, collected and processed, makes the hospitality industry one of the most vulnerable to data breaches (Verizon 2016 Data Breach Investigations). Online booking systems and multiple payment points make hotels an easy target for cyber-attacks. According to the report, the industry accounted for the largest number of cyber incidents in 2016.

  • Your hotel is more vulnerable to data security threats.

GDPR legislation implies the highest levels of data security, which could be a challenge for the hotel industry. The risk of facing large financial penalties is high and hotels must update their data protection policies to avoid potential losses.

The penalties for not complying with GDPR are much larger compared to previous legislations. Violation of the rights of the subjects whose data has been collected can have a financial cost of up to €20 million or 4% of global annual revenues (whichever is greater), not to mention possible reputational costs.

  • Violation of the rights of the subjects whose data has been collected may have a financial cost of up to €20 million or 4% of global annual revenues (whichever is greater).

 The GDPR is a big leap that implies changes

What changes will the GDPR bring?

Don’t worry! We will continue to post to provide you with a detailed description of the legislation and its application in the hotel sector, but for now we want to give you some examples of what is about to change for hotels.

Total data management

The new legislation is strict. To ensure compliance with the new regulations, you must be in full control of your internal and external processes and know all the details related to the personal data you process. Policies and principles should be defined, along with a code of practice and self-regulatory audit questions. You must establish the purposes for data acquisition, making sure you know exactly how and where you collect this data. Where you store them, for how long, who has access to them, what your disposal policy is: the answers to these questions should not only be clear, but also fully documented.

  • Define the purposes for acquiring data, how and where you collect it, where you store it, for how long, who has access to it, what your disposal policy is.

2. Clear notification and explicit consent

Currently, the rules on the collection of personal data are somewhat flexible. The wording can be clever and have a double meaning, “opt-outs” are commonly used, and you have the opportunity to easily sign up your current and potential guests to various informative newsletters, adding their contact details to any number of subscriber lists. The legal notice and privacy policy are written in language that is difficult for the average user to understand and a very small percentage of customers actually read the entire text, which gives the company an advantage.

Under GDPR, all that will change. Clear notification means that, when collecting personal data, hotels must explain in clear language exactly what data is being captured, for what purposes, how long it will be stored, who has access to it and what a customer’s rights are in this regard. The user must have a full understanding of these points and, in accordance with the GDPR, it is your responsibility to inform them.

As for explicit consent, it means that the user, once fully informed of everything, must give his or her unequivocal affirmative consent. Your personal data may be used for an exact period of time and only for the purposes for which you gave your consent.

  • Tell your customer what their rights are, what data is being captured, for what purposes, how long it will be stored and who will have access to it.
  • You must receive unambiguous affirmative consent from a fully informed user.

 Third parties and partners

We are who we hire’.

Hoteliers should take more precautions to ensure that their partners comply with the latest data protection regulations. A major change due to GDPR is that all entities involved in data processing are responsible for its security. That said, if a hotel is outsourcing data processing to a non-compliant third party, both the hotel and the third party may be held liable if a breach occurs.

  • All entities involved in data processing are responsible for data security.

 What should you do now?

Now that you know why GDPR is important to the hospitality industry, it’s time to learn more about the legislation and take steps to prepare your hotel or chain for when the regulation goes into effect. In the following articles we will give you a more detailed explanation of the regulation and its principles. See you next time! 

× !Hola¡ Estamos aquí para ayudarte