In a development that is expected to reverberate across the hotel industry of the Netherlands and EU, the General Data Protection Regulation (GDPR) is scheduled to come into force on 25 May 2018.

The GDPR was designed to strengthen privacy rules, protect the personal processed data of individuals, and introduce administrative fines for privacy violations of up to 4% of total annual worldwide turnover.

Although the new rules will impact any organisation that processes personal data, the hotel industry will be particularly affected for the following reasons:

  • Hotels obtain high volumes of personal data for guests, and process a large number of payment-card transactions daily.
  • They receive personal data from many sources, such as third-party booking systems and corporate websites.
  • They operate CCTV-systems.
  • They conduct profiling activities of customers.
  • Hotels enjoy a high turnover of employees, and independent contractors. 

All of these activities involve the processing of personal and sensitive data on a larger scale.    

Under the GDPR, a misuse or breach of personal data not only carries the risk of administrative fines, but could also hurt reputations and result in damage claims. The GDPR will affect owners and operators alike.

Against this backdrop, it is vital for businesses in the hotel industry to focus on GDPR compliance, including the following actions:

  • Ensure that management understands the main issues and risks involved.
  • Make an inventory of data processing activities.
  • Identify any shortcomings and weaknesses of data processing operations.
  • Put in place or update privacy policies, and information notices given to guests.
  • Review and update data-processing contracts with third parties.
  • Review and update joint data controller contracts, particularly if a hotel is run by a franchisee.  
  • Review and update consent policies involving customer profiling.