How Does GDPR Affect Your Hotel Brand?

Tick, tick, tick. The GDPR (General Data Protection Regulation) is a new set of consumer data handling standards for any hotel dealing with European companies or individuals – and it’s going into effect May 25th of this year.


The GDPR was created by the European Union to bring uniformity to data protection and help hotels (and other business) meet today’s digital security challenges. Due to the large amounts of personal guest data hotels gather and store every day, they are particularly attractive to hackers. In fact, the hospitality industry is among the top five industries breached every year.

Officially adopted in 2016, the GDPR states that any organization that processes European Union residents’ personally identifiable information (PII) must conform to a number of new regulations and security measures, or risk facing significant penalties.

Does the GDPR Affect Your Hotel?

If your hotels are in Europe or serve European guests, the new GDPR protocols must be followed. Specifically, this applies to all hotels (and companies) processing and holding the personal data of individuals residing in the European Union, regardless of the hotel’s location.

Currently, the rules around collecting guest (or potential guest) data are somewhat flexible. Hoteliers can use clever wording, hard-to-find opt-outs and implicit consent to quickly turn customers into subscribers of their various newsletters and email campaigns. This is all changing under the GDPR. The new rules state hotels must clearly explain to every customer:

  • What kind of data you are capturing
  • Why you are capturing the data
  • Who is requesting the data
  • Who else will have access to the data

The point is to ensure that each customer completely understands what kind of data you want and why. The customer, then, can provide unambiguous consent (or not).

Hotel Marketing

Since marketing is usually a hotel’s first guest touchpoint, new materials need to be clear and upfront about what is being asked, and what the user is consenting to. Blanket statements or links to pages of disclaimers will no longer do.

From a digital perspective, designing website pages that accommodate the new large section of text can be challenging. For hoteliers to store any personal data, they will be required to have a section on their website that permits opting in, hopefully executed in a way that creates a friendly user experience. In addition, hotels must explain the entire data gathering process, allowing guests to easily modify or delete personal information as they wish.

Hotel Staff

These new standards apply to every hotel department and every hotel employee, from management to the front desk. Members of the staff must understand how to properly collect, access, use and disclose consumer personal information, as well as how to restrict access to guest cardholder data. Measures should include:

  • Allowing access to personal data only to those who need to see it
  • Training employees to properly dispose of documents containing payment card data
  • Sending marketing communications only to those who have explicitly opted into your program
The Penalties

Organizations found to be in breach of the GDPR can be fined various amounts on a sliding scale, based on the severity of the violation(s). The maximum penalty for the most serious infringements (not having sufficient customer consent to process data, for example) is up to 4% of the company’s annual global turnover or more than $24 million USD (€20 million Euros). For a lesser violation, like not having your records in order, a company can be fined 2%.


To further understand exactly what your hotels have to do – and by when – talk to a cybersecurity partner, such as Armor, or connect with a hospitality GDPR program provider, like Venza. The clock is ticking and that May 25th deadline will be here in no time.

Read a previous OpenKey article

Join us for the best in digital key


Request More Info


Request a Demo