The General Data Protection Regulation comes into effect in mid-2018 and will introduce a number of substantive changes to data protection laws across Europe. The changes are likely to be supplemented by new rules in relation to electronic marketing and online tracking. The GDPR will require all organisations to review how they collect, hold and process personal information and how they communicate with individuals. Organisations will need to adopt new measures and update their internal processes to demonstrate their compliance with the GDPR. The new rules will be backed up by enhanced enforcement powers.

Changes include:


There is a new requirement for `clear affirmative action' and an end to pre-ticked boxes and bundled consents.


Organisations must provide much more information to individuals.

Lawful Processing

There are stricter rules on processing data for new purposes.

New access rights

Greater rights are given to individuals, including rights of erasure, protection against profiling, and a right of data portability.

Privacy by design and default

Existing good practice recommendations must be hard-wired into day to day operations.

Breach notifications

New express obligations to notify privacy regulators and affected individuals in the event of certain data privacy breaches.


Organisations will have to demonstrate compliance to regulators on an ongoing basis and maintain records.


The power for regulators to issue fines for up to 20m or 4% of worldwide turnover, (including substantial fines for administrative breaches).

How will this affect me?

Many hotel operators will hold extensive marketing databases containing personal information. This information will be collected through bookings and administration and online and offline marketing activities. Information will be collected directly from individuals, but also via intermediaries such as travel agents, tour operators and travel search websites. User profiling and online tracking tools such as cookies can be used to help better target marketing campaigns. The GDPR requires organisations to review the information held as well as their processes and adopt new procedures in relation to why and how that information is collected and used.

Where a hotel is operated under a franchise, operators will need to understand the data protection issues in relation to personal data that is shared with the franchisor.

Hotel operators will also hold substantial amounts of personal information on their workforce whether directly employed or engaged through contractors. Organisations should review the information held and their procedures to ensure that the basis on which it is collected and used is GDPR compliant.

Specific issues:

Data collection - do your privacy notices and data collection processes meet the new rules on transparency and consent? How do you provide your privacy notice when a booking is made through an intermediary?

Marketing consent - do you obtain appropriate consent to send individuals electronic marketing?

Marketing lists - if you acquire marketing data from third parties, are you confident that you have the right to use that information?

Policies and processes - have you reviewed your data policies and processes for allowing individuals to opt out of future marketing?

Data retention - how long do you retain information on your marketing databases? Do you have a data cleansing policy?

Profiling and tracking - what tools do you use for profiling individuals and tracking online activity (for example, cookies and web beacons)? Do you obtain appropriate consent and provide fair notice?

Workforce data - what information do you hold? How long do you retain it for? Do you need to hold that information? Is the processing fair and lawful?

Franchisees - if you share personal information with your franchisor or another third party, is that being done on a lawful and transparent basis and is the information sharing relationship set out in a written contract?

What do I need to be doing?

  • Identify your team and plan your strategy for compliance.
  • Create an information asset register what personal information and where, why, how and with whom do you process it.
  • Review the legal basis for your data processing activities.
  • Review your data collection forms and privacy notices to ensure they meet the new requirements.
  • Review your processes and systems for dealing with data subjects rights, including new rights in relation to erasure of data and data portability and your use of profiling.
  • Implement data governance policies and measures and training to ensure your organisation operates in accordance with the requirements of the GDPR.
  • Review your supply chain arrangements with data processors such as your CRM and bookings management systems and third parties such as intermediaries and franchisors/brand licensors.
  • Ensure that new technology and systems are GDPR ready.