May 2018 is coming and the hotel sector until May 2018 to comply with the EU General Data Protection Regulation (GDPR). Failure to comply could potentially see hotels having fines up to 4% of annual turnover or €20 million (Whichever is the greater).

Technology has changed the way hotels interact with customers and have benefited the overall experience the customer has with a hotel but it also brings the challenge of data protection and privacy of that customers data.

Recently a number of large hotels such as Hilton, Hyatt and IHG Hotels have seen data breaches and the loss of thousands of customers details. This can happen to any sized hotel unless you take steps to protect. Hotels are prime targets for information hackers due to the amount of information held databases. A typically database contains names, addresses, dates of birth and credit card details. All of this information can be used to carry out identity or credit card fraud.

The introduction of GDPR is there to help hotels and their owners reduce the risks by becoming fully complaint and this has to be done before the May 2018 deadline.

Its vital that owners are looking at what data they have, how long the have had it and what consent they have to use it. Failure would result in potential fines being imposed.


Let’s look at internet sensation Rinkit a business that was started from selling cocktail shakers on eBay from their back bedroom to £10 Million pound turnover in 9 years.

If they were to receive the maximum penalty on their £10 Million turnover their penalty would be £400 Million

GDPR is widely dubbed as the “biggest shake up of data protection laws for 20 years” The key thing that all organisations must take into consideration is that despite this being an EU regulation, it will apply to anyone if your hotel is holding or processing any EU personal data regardless of where your hotel is located around the globe.

From a UK perspective, and if your organisation does not have overseas operations or hold EU data, the UK Government recently announced that despite the uncertainty surrounding Brexit, that all UK organisations will need to comply with the GDPR regulations regardless of the UK leaving the EU.

The key principle behind GDPR is it has been designed to provide your customers with more power on what information you hold on them and what it is being used for. Under GDPR, all consent must now be easy to understand, and be written in plain English. Consent must be just as easy to withdraw.

If you were also unfortunate to experience a data breach, then under GDPR you would need to ensure that this breach is reported to all stakeholders and regulatory authorities within 72 hours of the breach being discovered.

It is vital that you do not ignore GDPR. The implications of doing nothing will result in your hotel hit with major fines, loss of reputation or even a ban from trading in certain jurisdictions around the globe. You and your managers need to understand the implications of GDPR and how this will affect your hotel and what is needed to ensure compliance by the enforcement date in May 2018.

To comply with GDPR is no small job. But answering the following question should help.

  • What data do you currently hold and where?
  • Do your current processes you have are able to deal with subject access requests and deletion requests?
  • Do you have privacy notices and are they current?
  • Do you have consent for the data you hold?
  • What processes have you in place to report and investigate data breaches?

At SFB Consulting Group our team along with our specialists GDPR Solicitor will work with you to understand your operations and work to ensure you become GDPR compliant before 25th May 2018