GDPR is designed to give people better control over their personal data, so important question is does your hotel and management software comply with the recent GDPR rules?

GDPR, what is it and why is it important for the hospitality sector?

EU and United Kingdom currently are governed by Data protection act of 1988, this law was enacted following the 1995 data protection law of the EU, which was created much before the internet and cloud that allowed ways to share data. GDPR regulations will provide people more control over how their personal data is used, today many companies like Google, Facebook, Twitter, other social media and marketing companies swap user data to provide services and GDPR has been designed to protect all EU citizens’ privacy. GDPR will protect all information related to name, a picture, an email address, credit card information, banking details, timeline posts on social media websites, medical information, or a computer IP address.

What is GDPR?

The General Data Protection Regulations (GDPR) is a most important regulation of the EU data protection law that will unify and strengthen data protection for individuals in the European Union. The European commission first published GDPR in the year 2012 and following 4 years of discussions, it was adopted in April 2016. This regulation will replace the existing data protection act, With GDPR in from 25th May 2018 will signify the major changes to the data protection law and harsh penalties to those who don’t comply with this regulation.

What will be the impact of GDPR on the Hotel Industry?

The Hotels business is considered as one among the most exposed to data threats, according to Verizon 2016 investigations, data breach report – The Hospitality industry is accounted for the second largest share of security breaches, when it comes to lost cards following a data breach. This isn’t a surprise with guests handing over card details & hotels processing information on a daily basis that attracts highly motivated financial criminals. Hotel software‘s will need to adhere to new GDPR rules and provide parameters along with access to management and IT admins to purge data that guest does not want hotel to retain. Things to consider before adapting the regulation

One of the Primary issues with a hotel is they need to deal with data discovery. Hotels receive guest payment card information through a website, phone, email at the time of checkout, SMS and WhatsApp chats, and fax etc. and this data has been often available in multiple locations. When the management is aware of where and what information is stored, they will be able to process the information to protect it.

Then, Hoteliers need to secure and compile their website. The business must be having access to data stored, also they must have the ability to change or delete this information. Also, they must prove to relevant authorities their use of system activity through logs in order to track and oversee action to their network resources when necessary.

Hotels should now become more cautious of their third-party partners, so they don’t prove a threat to Hotels business in terms of data protection. An important regulation of GDPR is that data processors are captured by the regulations as well as data controllers. For example, if a Hotel, as a data controller is outsourcing the process of data to a third party who is not GDPR compliant, the hotel will be held responsible if any data breach occurs. Current credit card sharing practices between OTA’s and hotel and other third-party service providers will need to change drastically.

In order to comply effectively with GDPR regulation, it is vital to conduct regular staff training on how to securely handle card information. Educate staff, it’s unsafe to write down or email card details and sensitive information. They must also be advised on how to create strong passwords.

Under GDPR act, if you find your Hotel is attacked by a security breach, this breach must be reported to the authorities and all stakeholders with 72 hours of its discovery.

Will GDPR only apply within the European Union?

Although the fact that it’s an EU regulation, GDPR act will apply to any organization, regardless of the location which is processing or holding EU citizens personal data.

This regulation is causing some confusion for British Hoteliers who do not hold any EU data or do not operate their business overseas, Given the large uncertainty surrounding Brexit. The British Government announced that all UK companies including Hotels need to comply with the regulation regardless of Britain exiting the EU.

What if I am not compliant?

If there is complaint received by an EU Citizen, the penalties are Harsh for not complying with GDPR. The maximum fine is set to 20 million Euros, or 4% of the annual global turnover (whichever is the greater). However, this loss can be easily avoided if the hotel leaves enough time to efficiently adapt to the regulation.

Hotels should start complying as soon as possible

The reality is that hotel operators tend to keep customer information in several different places like central reservation system, web booking engines, Property management system, point of sale, e-mails, and credit card authorization forms. Simply put, in there are too many places where the data is vulnerable to theft and intrusions are possible.

The need for GDPR is largely technology driven, today’s guest expects a seamless experience and hence more and more technologies are sharing data, thus giving rise to data swap and possible intrusions and hacks.

It is important for organizations to start complying with the regulations as soon as possible in order to ensure they are prepared for the enforcement before May 2018.

Important facts and actual policy implementation requires.

Internal processing – Business must provide detailed information on the need to process personal data and how long they plan to keep it. This procedure involves organized retention policy, so the business knows the status of such information.

A Hotel must keep system logs, user activity logs, the technical records and obtain the necessary certificates to prove it is protecting data. These help businesses to show the supervisory and regulatory authorities the important mechanism is in place.

Hotels need to include an option on the websites that mentions “opting in,” which helps hotels to store guest data. Also, they must explain the section and process to enable guest to access, modify and delete their data. This poses a significant threat to information when it is help in different places.

We highlight few things to consider while planning for improving security

  • Malware was one of the major threat and reason for 94% of breaches in the Hospitality sector. So install better Anti-Malware security, update virus definitions on a regular basis and maintain logs.
  • When it comes to GDPR compliance, conduct regular staff training on how to securely handle card information. Educate staff, it’s unsafe to write down or email card details and sensitive information. They must also be advised on how to create strong passwords.
  • Payment gateways are one of the primary ways to store guest card details. Most hotel properties need a third party vault provider. By using these vaults, the sensitive information is removed from your custody & you are given a tokenization system that can be used for billing. By using this integration, you move the risk of storing data to a third party who specializes in doing that, and have all security controls in place to keep the sensitive information safe.


  • All Hotels must be prepared and comply with GDPR regulation before the deadline date, i.e., 25th May 2018.
  • GDPR act is applicable to all the business, regardless of location who handles EU citizen Data & non-compliance will attract hefty penalties.
  • This act is applicable for business in the UK, despite the aftermath of Brexit.
  • Data processors are also under the radar by the regulation.

Certainly adapting your Hotel to comply with new regulations will be difficult. But the outcome the benefits will improve the Hotels key performance and allow management to know where all of their confidential information is stored and ensure their customer gets a secure and satisfying service.

Get subscribed to technologies that are PCI compliance and get trained so they can avoid data breaches and hefty financial penalties.

“Guests nowadays care about their privacy and they expect hoteliers to respect that”.

hotel software demo

About The Author

Deepak Chauhan

Deepak Chauhan is responsible for marketing and positioning of “mycloud” platform and is a veteran in the hotel software industry with over 25 years’ experience giving him a strong understanding of the product requirements in the industry. He has very rare mix of working in operations of various hotels and chains for over 10 years and then co-founding a software product and service company, servicing 5 star hotels and chains for 14 years.

Deepak has led the development and marketing of cloud based hospitality systems to meet the specific, business objectives of small and mid-size properties across the globe and has worked closely with a diverse group of hoteliers and hotel technology vendors.