GDPR in the Hospitality Sector

Within any sector, data is an asset to any business, especially those businesses that rely on the knowledge of their customer’s behaviour and preferences to retain their customers, establish the brand’s loyalty and to stay one step ahead of any competitors.

With modern technology, it has become easier to acquire customer’s information. If your customer’s information has unique online profile platform database you have an added bonus of valuable browsing habits of the customers.

A massive 45% of hospitality and leisure businesses believe that the GDPR changes will not affect their operations when in reality it will. The legislation has strict rules on making sure that the protection rules are put in to place when using website cookies and employee data.

Even though GDPR came into place in April 2016, organisations were given until 25th May 2018 to become compliant. According to a survey carried out by YouGov, only 34% hospitality and leisure companies were aware of GDPR in May 2017. If your business is one of the 66% that is unaware of GDPR, now is the best time to get to grips with this.

How prepared is your Hospitality organisation for GDPR?

To start off your GDPR preparation, create a risk assessment and provide all employees with training in data protection.

Who should be in charge of your GDPR compliance?

Establish a data support officer who will take ownership of your organisation’s data and can also give the GDPR additional support.

The type of data you hold and where to store it?

It is more than likely that your organisation will hold a large amount of data. It’s important you know where the information is kept and stored and also who you are sharing it with.

Get to know your organisation’s ePrivacy Regulation?

Data users must explicitly consent to the user of third-party software such as Google Analytics.

Does your organisation accept euros?

Your business doesn’t need to be established in the EU for GDPR to apply. It is when the acceptance of an EU tender

What to do in an event of a data breach?

You have 72 hours to report any data breach, to your organisations lead supervisory authority. In May 2017, only 33% of hospitality companies believed that they could fulfil the requirements of GDPR.

Have you got the consent to use data?

Everyone must have a legal basis and the individual’s explicit consent to process or share their data. You must look at your existing pre-ticked boxes and check if your existing consents meet the new GDPR conditions.

Make sure your international data transfers are up to date

You must make sure you have an individual’s explicit consent to transfer their data. Be aware that they withdraw you holding their data at any time.

Are you established in any EU countries?

No longer do you have to register with your local Data Protection Authority (DPA), only the DPA member in your own establishment. You must, however, carry out your own privacy impact assessments and the DPA can intervene if a GDPR breach is made or suspected.

Does your organisation need a Data Protection Officer (DPO)?

If any company has a large scale of monitoring any current or past customers or members you will need to appoint a DPO within your organisation.


Download and follow our new GDPR Guide here