Skip links

All you need to know about GDPR

Effective on 25th of May 2018, the European Union’s general data protection act or GDPR is a upgradation of their 20 year old data security act. The GDPR plans to protect and strengthen the privacy rights of European Union (EU) individuals through tougher, and more detailed requirements for handling and processing personal data.  In the wake of back to back data theft scandals earlier this year, this unprecedented step has caused quite a stir in the business market, especially in the ones that deal with guest data, like the hospitality industry.

This huge and complicated data security act has got every hospitality pundit at the edge of their seats. Well, first of all, do not panic. We at Repup have got you covered. In this article, we are going to provide you detailed information about GDPR and how it will affect your hospitality business.


Who does the GDPR apply to

There is mass confusion in the market regarding who does the GDPR apply to. Allow us to clean up all the misconceptions around it. The GDPR applies to you whenever you store personal and sensitive data or personally identifiable information (PII) of EU citizens..


Here we can take an example. If your hotel is located outside the EU zone, supposedly in Thailand and you have EU citizens staying on your property, then you have to process, secure, and handle the personal and sensitive data of the said citizens as per the GDPR act.


How will it impact your business

When the GDPR gets effective, any organization that processes PII (personally identifiable information) will have to follow to a number of regulations, or risk facing substantial penalties. For example, it will be mandatory to notify GDPR representatives within 72 hours of any security breach and, for the most serious breaches, fines of up to 4% of an organization’s turnover may be imposed.


However, the GDPR committee has announced companies that are able to demonstrate that they are willing to change the current data handling and processing practices, will most likely see a reduction in fines.


The steps you need to take to comply with GDPR

Once the GDPR arrives, the hotel industry will face intense disruptions and changes. In this part, we are going to provide you a step by step guide on how to comply with GDPR norms


1.Customers right to information:

Hotels that are doing business with EU citizens, now have an obligation to make individuals aware of their rights under GDPR as part of the data collection process. Many privacy policies or T&Cs will likely need to be updated.


2.Customers  right to consent:

Under GDPR, getting customer consent before storing and processing their data, will be imperative. This is very important to get right as hotels must be able to prove that the customers have given consent for their data to be used for specific activities. The hotels must also be able to specify which data they want to use and for what purposes. Additionally, EU citizens will have the right to withdraw consent at any time.

Double opt-in, in which an individual, upon signing up for email promotions or newsletters, receives another email with a verification link, can be used as a  standard method of capturing Proof of Consent from individuals.


3.Using the collected data for specific purposes:

Once the GDPR gets implemented, personal data must be processed only for a designated pre-requisite purpose. One of the key fundamentals of GDPR is not to retain personal data for longer than necessary. In simple terms, data cannot be processed in a conflicting and unplanned manner without outlining the purpose such endeavors first.

For example, when taking an email address at the time of booking, their email cannot be used for email marketing at a later stage without their consent.

Creating a data flow map will help businesses understand what data comes into the company. It can also provide clarity on who processes the data and for what purpose, including where it ends up.


4.Auditing the current data processing structure:

Hotels need to audit and review their entire data processing and storage facilities. The methods of such must be safe and encrypted. A standard Data security protocol should be followed by the workforce and employees must be educated on how to keep data secure.


5.Data Breach Procedure:

Hotels need to come up with a standard procedure for potential data breach scenarios. In any case of a personal guest data breach, EU authorities must be notified within 72 hours of being aware. It is imperative to ensure your employees understand what constitutes and can lead to a personal data breach. Employees must also know the procedures in the event of a breach and to report any mistakes immediately to the team responsible for data protection and security.



Such a regulation of huge proportions may seem very troublesome to handle, but with the right knowledge and guidance, hoteliers can be well on their way to compliance. May 2018 is almost upon us and to sum it all up, at the end of the day it is about protecting your guest’s data. With these suggestions, start building the necessary infrastructure for data security, audit your data and start training your employees from today so that by May 2018, you stay well prepared for the introductory impacts of the GDPR.

Leave a comment