GDPR: The checklist

Hospitality is full of acronyms. ADR, PMS, GOPPAR, MICE… the list seems endless. But at the moment, there are few more important than GDPR.

It's now under 50 days until GDPR, or the General Data Protection Regulation, comes into force. And though it’s a European Union law, its likely that hotels around the world will be touched by it.

As a company driven by data, we have frequently been asked about our own approach to GDPR. So, as we count down the days to the May 25th deadline, we decided to share some of the preparations we are making and some of the tips we’ve picked up along the way, as well as some expert insight into readying your hotel for the biggest change to data protection in the EU for over two decades.

GDPR: a recap

First off, let’s revisit what GDPR is and why it matters for hotels. In a nutshell, it’s new legislation designed to align data protection rules across Europe and fit with today’s digital world. It will mean businesses have to be much clearer about what data they collect and why.

Hotels are likely to be considered a ‘data controller’ under GDPR, which means you determine the purposes and means of processing personal data. That comes with obligations as to contracts with ‘data processors’, which are responsible for processing personal data on behalf of a controller.

Though an EU law, GDPR may apply to businesses outside the EU if they offer goods or services to individuals in the region. Failure to comply risks a penalty of up to 4% of worldwide turnover.

For further details, both eHotelier and Hotel Speak have published useful GDPR primers, and we’ve found useful resources on the UK’s Information Commissioner’s Office GDPR guide.

Data mapping

The first step on our GDPR journey was to conduct a full audit of the data we collect during the course of our work. Through a data mapping exercise, we determined the following:

  • What data we collect

  • Why we collect it

  • What our intention is for that data

  • The retention policy toward that data

We won’t lie, it’s a time-consuming and complicated process that requires involvement from teams across your organization. But it’s through this that you can understand exactly how GDPR will touch your business and adapt accordingly. Company-wide buy-in to your GDPR preparations is crucial.

"In order to operationalize the GDPR we need to incorporate it into how the organization does business in general," says Samantha Simms, information law attorney and founder of The Information Collective. "GDPR compliance must not be standalone; it's a living piece of law that must form part of the DNA of the company."

Contact third parties

Hospitality is exceptionally interlinked as an industry. Hotels work with numerous third parties, such as OTAs, booking engines and companies like Triptease, many of whom could come into contact with its data.

Following the data mapping exercise you should have a list of these third parties and what data they might encounter. Find out how they plan to address GDPR so you have the complete picture of your obligations. It is your responsibility to ensure that the third parties you work with are GDPR-compliant.

You also need to ensure that customers are aware when you're collecting their data via a third-party site.

"If you think about, for example, Booking.com, when a customer inputs their details some of those details are automatically sent to the hotel," says Samantha. "In this situation the traveler has no interaction with the hotel until they arrive at the check-in desk. So as a hotel, what you really need to make sure of is that at the time of Booking.com collecting that data on your behalf, it has been made clear to the customer that the data will come over to the hotel and be governed by the hotel's privacy policy."

Update your privacy policy

On that note, refreshing your privacy policy is another important early move. According to Samantha, it’s likely that you’ll be looking at an "extensive rewrite" of your existing policy, which must show a lawful basis for processing data.

“It must describe where you are using data under consent, or using it for legitimate business purposes, or to perform a contract with a data subject (i.e. customer), or in other ways such as to carry out legal and regulatory obligations,” Samantha says.

Once complete, ensure the updated version is published on your website.

Communications strategy

One of the core principles of GDPR is that consumers will be much more aware of how their information is being used. It’s essential therefore that you communicate any changes you expect to make under GDPR to your client base. Perhaps you’ll email your guests or use your loyalty scheme to post a notice.

Much like the data mapping exercise, consider all the ways in which you speak with your customers and what might be the most appropriate method of explaining your GDPR plans, for example in an email asking existing contacts to confirm their subscription, or posting a notice to loyalty scheme members.

Setting this out in a comprehensive communications strategy is strongly advised to ensure you’re covering all your bases.

Incident response plan

Under GDPR, we must all be prepared to deal with any potential personal data breaches. The rules state that if you use a ‘data processor’, for example an OTA or channel manager, and it suffers a breach, you’re required to take steps to address it.

Samantha’s advice is to have an incident response plan in place. In some cases, there is a 72-hour time limit to notify authorities of a breach and provide information, so the plan must be tested to ensure it can meet that deadline.

Check out the ICO’s checklist for an idea of what a plan might entail.

What is compliance?

Given the sweeping nature of the changes coming under GDPR, it’s no surprise that there is a feeling of mild panic in some circles about the ability to be compliant by May.

But listening to experts, it seems there is a recognition among authorities that readying a business for GDPR is a sizeable task and there will be leeway if you can demonstrate to both authorities and customers that you are doing your utmost to comply. What won’t be tolerated however is flagrant and wilful breaches of the law.

Data protection outside the EU

Of course, GDPR is not the only data protection regime around. Countries around the world have their own rules and in an ideal world hotels would have a privacy framework that takes into account all the relevant regulations.

The good news for anyone getting to grips with GDPR is that the EU legislation has some of the highest standards when it comes to privacy regulations. As Samantha says: “You need to have a robust yet flexible privacy program to handle any changes, but if you put GDPR at its core you can’t go too wrong.”


GDPR is a lot to take in. We hope that sharing some of our learnings will be helpful for any hoteliers currently wading through the documentation and data involved. If you want to know more about how Triptease is handling GDPR, get in touch.



Want to keep up with Triptease content? Sign up for our newsletter and we'll send your our best direct booking tips fresh to your inbox every week.

About The Author

Lily is Content Manager at Triptease. When she's not investigating the industry or spreading the word that #DirectIsBest, she enjoys music, cycling, and obscure radio quiz shows.