GDPR: Major impact on hotel industry

The General Data Protection Regulation (GDPR), which applies from 25 May 2018, will bring about a step change in risks for organizations in the hotel industry. The GDPR strengthens existing privacy rules, further empowers individuals whose personal data are processed and introduces administrative fines for privacy violations that can reach up to 4% of total annual worldwide turnover.

The GDPR applies to any organization that processes personal data, but the hotel industry is particularly affected by the new rules. Hotels:

• Obtain high volumes of personal data of their guests and process a large number of payment card transactions on a daily basis.
• Receive personal data from many sources, such as third-party booking systems and their own websites.
• Operate CCTV-systems.
• Conduct profiling activities in relation to their customers.
• Have a relatively high turnover of employees, and independent contractors.

All of these activities involve a relatively high degree of processing of personal and sensitive data at a larger scale.

Under the GDPR, a misuse or breach of personal data will not only involve risks of administrative fines. It may also lead to significant reputational risks and damage claims. The GDPR affects owners and operators alike.

Against this backdrop, it is key for businesses in the hotel industry to focus on GDPR compliance.

A number of practical actions need be taken:

• Ensure that management understands the main issues and risks involved.
• Make an inventory of data processing activities.
• Identify any shortcomings and weaknesses of data processing operations in light of the GDPR.
• Put in place or update privacy policies and information notices given to guests.
• Review and update data processing contracts with third parties.
• Review and update joint data controller contracts, particularly if hotels are run by franchisee(s).
• Review and update consent policies with a view to profiling.

The CMS hotel sector group is more than happy to assist you in understanding the implications of the GDPR and ensuring full compliance of your business and processes per the implementation date.