GDPR Rules for Hotels

May 25, 2018 GDPR News GDPR Advice Comments Off on GDPR Rules for Hotels

The newly-introduced European Union General Data Protection Regulation has far-reaching effects on businesses and organizations that deal with, or employ, European Union citizens anywhere in the world. One of the main business sectors affected by this legislation, which was introduced on May 25th, is the hotel industry.

In fact, few businesses are more affected by GDPR regulations than the hotel industry. This is due to the fact that hotels are vulnerable when it comes to data security. They process huge volumes of highly sensitive personal data on a daily basis.

Research shows that hotels are one of the most vulnerable sectors when it comes to data breaches. In 2016, the hotel industry had the second highest number of security breaches.

In the lead up to May 25, hotels had been seriously reconsidering how secure their stored data was. Some are still wondering if they have done enough. There are two reasons for this; severe penalties and bad publicity. 

The aim of GDPR is to increase the protection of personal data. This is achieved by strengthening the legislation concerned and ensuring better supervision of the processing of personal data by businesses including hotels. Fines for violation are hefty. They may be as high as 4% of the company’s annual income.

Why are Hotels so Impacted by GDPR?

Hotels are particularly impacted by the new GDPR regulations for several reasons.

  1. They collect and process significant amounts of personal data.
  2. They receive personal data from a wide number of other sources including individuals, companies, third-party booking agents such as travel agents and online booking companies.
  3. Almost all hotels have closed circuit TV systems.
  4. Hotels employ a large number of employees at each location and many chains have locations all over the world.
  5. Hotels have a high turnover of guests, employees, trades people and contract workers.
  6. Hotels use profiling of personal data of their clients.

Each of the above activities involves personal data processing. Some of the data is sensitive. Breaches in data or misuse of it will be severely penalized under GDPR. Heavy fines and bad publicity are unhealthy for travel industry partners. The losses could be catastrophic.