GDPR - implications for the hotel and tourism sector

13th March 2018 by Fiona Hotston Moore

Businesses within the hotel and leisure industry must comply fully with the EU General Data Protection Regulation (GDPR) by 25 May 2018. Those who fail to comply face fines of up to 4% of turnover or €20m – whichever is the greater.

The UK Government has announced that, despite Brexit, all UK organisations must comply with GDPR. Therefore, all hotels and businesses in the leisure industry holding or processing personal data must comply fully irrespective of size. Businesses are responsible not only for the data they hold but also for any data that is held by organisations to whom they outsource processing.

Typically, hotels and businesses in the leisure sector hold significant amounts of data on customers (and potential customers) such as names, addresses, dates of birth and credit card details. This tends to be held primarily for marketing purposes.  However, they also hold data on employees (both current and past) and prospective employees and, as the industry tends to have a transient employee base, this can amount to a significant amount of data.

This data, if stolen, can be used for credit card fraud as well as other frauds such as identity theft and, for this reason, large hotel groups including the Hilton and Hyatt have been the target of data breaches. In addition, it is possible that in future businesses will be subject to an external review of their processes.

Compliance with GDPR is not a small task. As a starting point businesses should consider:

  • What data do they currently hold within the business and what is held by others on their behalf?
  • Do they have processes in place to deal with subject access requests and deletion requests?
  • Are consents up to date?
  • Do they have processes to report and investigate data breaches?
  • How will they ensure all relevant staff and management are aware of the key aspects of GDPR?

Having considered these points businesses should consider seeking advice from their legal advisers.

For further information please visit the Information Commissioners website.


Fiona Hotston Moore

Fiona Hotston Moore

« Back to blog