Sam Butler
Feb 27, 2018 · 3 min read

Hotels process the personal information of millions of individual people, day in, day out, at all hours, presenting one of the highest risks to data protection across all industries. With the upcoming General Data Protection Regulation bringing additional regulatory burden to virtually every business in or selling to the European Economic Area, how can hotels ensure this risk is balanced, and what are their responsibilities?

GDPR — Europe’s growing concern

From 25th May 2018 all organisations around the world, whether for or not-for-profit, public or private sector, that processes EU residents’ personal information, will have some responsibilities under Regulation (EU) 2016/679, better known as the General Data Protection Regulation, or GDPR.

Many organisations have already been making preparations, some for several years, recognising the impact this sweeping new legislation will have upon their business processes, policies, customer interactions, and storage and use of data from HR to marketing and IT to PR.

Size matters

According to the British Hospitality Association, the industry employs 3.2 million people and accounts for another 2.8 million jobs indirectly, making it the fourth biggest employer in the country, pumping over £73 billion directly into the national economy. Five years ago, Ernst & Young looked at the industry across the continent and suggested that one out of every 13 jobs in Europe was in hospitality, with continued growth ever since.

With numbers like these, it’s not only the big players that have to sit up and take note; every bed & breakfast, guesthouse, family-owned or franchise hotel has a responsibility to ensure the industry is well-represented and continues to garner the trust of its customers and avoid statutory penalties.

A statute with teeth

Penalties for noncompliance with the GDPR can be as high as €20 million, or 4% of worldwide annual turnover, whichever is greater. These figures are designed as a deterrent, but they are very much real, and with an increased upper limit, the size of smaller fines will likely increase too, with a high probability that Europe’s first fines will be used to send a message. Nobody wants that to be them.

Checking in on data risks

In addition to a robust compliance assessment and implementation phase, GDPR compliance is about regular review. Hotels employ a variety of staff with different levels of access to customer information, working shifts that cause records and responsibilities to change hands several times a day, with relatively open physical spaces frequented by guests and members of the general public, presenting unique challenges for information security that simply must be confronted and constantly mitigated.

So it is that for every check-in processed, invoice printed, card payment taken, room service delivery, customer phone call or package held — among many other transactions of personal information — everyone who comes into contact with data needs to know the policies, procedures and risks involved so that every member of staff takes equal responsibility for compliance and nothing falls through the cracks.

Meeting the challenge

Nobody expects business leaders to sit in ivory towers and evolve the necessary measures, and no two locations, even in a multinational chain, are going to have equal parameters. Number of rooms, hours of operation, additional services and number of staff will all have an impact on how information is used once it enters the business, as well as how relationships are defined between franchisor and franchisee, branch and head office, or the business and its contractors.

Almost certainly, hotels or hotel groups will need to appoint a suitably-qualified, independent and professional Data Protection Officer (DPO), to oversee regulatory compliance, staff training and the constant review process necessary to ensure policies, once written, are actually followed. This can be done by hiring an individual or by service contract with a company like Privada.

However you choose to manage your hospitality compliance programme, remember you’re part of an industry your customers can’t afford to lose. Get it right and continue the year-on-year growth across the continent, but don’t wait until it’s too late.


Privada disrupts the data protection compliance landscape by putting our clients’ interests first, helping them to do what they do best, whether that’s business or charity, so data privacy becomes a badge of honour, not a burden.

Sam Butler

Written by

Senior Data Protection Consultant



Privada disrupts the data protection compliance landscape by putting our clients’ interests first, helping them to do what they do best, whether that’s business or charity, so data privacy becomes a badge of honour, not a burden.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade