GDPR: A Hotelier's Guide, Part 2 - Five Ways to Ensure Your Hotel is Prepared

March 20, 2018 Erica Rich

The General Data Protection Regulation (GDPR) is the most significant piece of European privacy legislation in the last twenty years and will have a huge impact on the hospitality industry. Is your hotel prepared?

Non-compliance could cost companies dearly. For the most serious breaches, fines of up to 4% of annual global turnover will be imposed or €20 Million, whichever is greater. So yeah, this is serious.

In Part 2 of our month-long GDPR blog series, we’re providing five ways to ensure you are prepared for this new and consequential law.


1. Establish whether or not GDPR applies to you

It’s important to understand that GDPR applies to the handling of information of EU citizens, not just hotels operating in Europe. If you have the data of any EU citizen or resident, regardless of when that resident stayed with you, then yes, GDPR applies to you.

2. Educate and train your staff

GDPR applies to every hotel department, from Ownership to Front Desk Agents. Start by building awareness. Hotel staff must understand how to collect, access, use and disclose personal information, as well as how to restrict access to cardholder data. Measures should include: 

  • Limit access to personal data to only those who need to see it
  • Advise employees on how to properly dispose of documents containing payment card data
  • Read up on relevant GDPR terms you and your staff need to know. Check out our GDPR Glossary of Terms for help
  • Send email marketing communications to only those who have explicitly OPTED IN to your hotel guest marketing program

3. Know where your data is stored

Hotels by nature manage a vast amount of personal data. Before you even begin protecting the data, you first need to know which information you are holding and where it’s stored. General Personally Identifiable Information (PII) includes:

  • Name
  • Birthdate
  • Email
  • Address
  • Phone Number

In addition to general data, hotels have to consider other sensitive information they may be collecting on guests. For example, even something like a guest’s dietary preference could be considered sensitive health information and therefore out of compliance if you don’t have their explicit consent to process such data.

Hotels receive all this information from many sources, including third-party booking systems, point-of-sale systems, their booking engine, email marketing messages, phone, even scribbled Post-It notes. First account for all data, then decide how it should be handled. Actions can include deletion, redaction, encryption, quarantine, or storage in an accredited, cloud-based storage solution, where it can be accessed by staff. Another consideration is IT -- ensure your systems are up-to-date for maximum data protection.

4. Understand who has access to your data

Don’t forget that many partners and third parties also have access to your data. It’s important to understand all existing contracts and who has logins to each of your systems storing sensitive data. Ensure these partners and data processors, like Revinate, are able to comply with GDPR’s “right to be forgotten” stipulation. Under it, anyone residing in the EU, not just EU citizens -- can request their personal information be removed from databases in a timely fashion or know the reason why it can't. This means that not only do you have to wipe your own systems, but your data partners will be expected to as well.

5. Seek assistance 

As a final tip, consider consulting legal or other data privacy expertise for guidance specific to your hotel or organization. It may be recommended to appoint a Data Protection Officer (DPO). The DPO should always be aware of all data flows in the hotel. This leadership and alignment are especially important for hotels with multiple properties or in multiple EU countries.


To sum up, May 2018 is right around the corner. With these tips, take action now to build awareness, train your personnel, audit your data and partners, and likely seek legal expertise to ensure full compliance. Ultimately, it’s all about protecting your guest’s data. Take this seriously, and you’ll be well prepared for next May and beyond!


To find out more about GDPR and practical tips for marketing, please refer to the other three parts of our Hotelier’s Guide blog series:

Check out GDPR FAQ page for answers to any questions you may still have about the GDPR.

The post Five Ways to Ensure Your Hotel is Prepared for GDPR appeared first on Revinate.

About the Author

Erica Rich

Erica Rich is the Sr. Hospitality Marketing Strategist at Revinate and is responsible for maximizing customer success through the education and adoption of hotel email marketing best practices. As the developer and instructor of Revinate's Email Marketing Certification for Hoteliers, Erica has traveled around the world, educating hoteliers on how to become effective email marketers. She joined the Revinate team in July 2015 and is based at the company’s headquarters in San Francisco, California.

More Content by Erica Rich
Previous Article
Executive interview: Oliver Geldner on distribution, marketing & revenue
Executive interview: Oliver Geldner on distribution, marketing & revenue

Right before the holiday season, I had a chance to interview Oliver Geldner to talk about hotel marketing, ...

Next Article
December Campaign of the Month
December Campaign of the Month

Reservations made for just one additional night can make all the difference between a good month and a grea...

Increase direct bookings with Revinate Marketing

Get Started