GDPR Rules for Hotels

The newly-introduced European Union General Data Protection have far-reaching effects on businesses and organizations that deal with, or employ, European Union citizens anywhere in the world. One of the mains business sectors affected by this legislation which was introcuded last Friday may 25, is the hotel industry.

In fact, few businesses are more affected by GDPR regulations than the hotel industry. This is due to the fact that hotels are vulnerable when it comes to data security. They process huge volumes of highly sensitive personal data on a daily basis.

Research shows that hotels are one of the most vulnerable sectors when it comes to data breaches. In 2016, the hotel industry had the second highest number of security breaches.

Hotels are seriously reconsidering how secure data is in preparation for GDPR legislation on May 25. There are two reasons for this; severe penalties and bad publicity. 

The aim of GDPR is to increase protection of personal data by strengthening legislation and supervision of personal data that is processed by businesses including hotels. Fines for violation are hefty. They may be as high as 4% of the company’s annual income.

Why are Hotels so Impacted by GDPR?

Hotels are particularly impacted by the new GDPR regulations for several reasons.

  1. They collect and process significant amounts of personal data.
  2. They receive personal data from a wide number of other sources including individuals, companies, third-party booking agents such as travel agents and online booking companies.
  3. Hotels almost all have closed circuit TV systems.
  4. Hotels employ a large number of employees at each location and many have locations all over the world.
  5. Hotels have a high turnover of guests, employees, trades people and contract workers.
  6. Hotels use profiling of personal data of their clients.

Each of the above activities involves personal data processing. Some of the data is sensitive. Breaches in data or misuse of it will be severely penalized under GDPR. Heavy fines and bad publicity are unhealthy for travel industry partners. The losses could be catastrophic.