GDPR and the Hospitality Industry

When running a business it is important to note that Governments can change the rules and regulations concerning businesses from time to time. Any change in regulation means a change in the way the businesses operates. Therefore, to be on the good side of the law, you need to ensure that you are up to date with new regulations. One such regulation about to change the dynamics for many businesses is GDPR. GDPR is an acronym for General Data Protection Regulation. On May 25, 2018, this regulation comes into effect in the EU. This will greatly enhance the need for Data Privacy and Data Protection. Noncompliance could result in massive fines (upto 4% of Global Turnover of Corporates in Breach).

One might wonder how a EU regulation could affect businesses outside the territorial area of the EU. Taking a specific look at the hospitality industry, consider some of the following examples:

  • If you are a Macau Based Casino, and are selling to EU tourists or travel agents
  • If you are a hotel chain, monitoring the travel booking of EU citizens traveling to the “Dubai Shopping Festival”; the floating Market in Bangkok, or the beaches of Subic Bay; or any such local event.
  • If you run guided tours to wild life sanctuaries, in Africa; scuba diving off the Great Barrier Reef
  • If you manage tourists for the “Rio-Carnival”; or mountain climbing for Mount Everest, or visits to the Great Wall of China, the Taj Mahal, the Pyramids; or the Statue of Liberty

From the various scenarios above, one common denominator is that you would be processing data of EU citizens. GDPR aims to protect the privacy of EU individuals within the EU and to extend the reach of EU Data Protection Law across the world. So, the territorial scope of GDPR includes the whole world.

Consider how this could be possible. If you use web-analytics tools for personalization and re-targeting purposes for users in the EU then GDPR applies to you. If you have visitors from the EU and collect personal information; Data as simple as their name and mail id, for say feedback / user experience, then GDPR applies to you.

GDPR will have an impact on several ways in which hotels / tour operators seek to attract guests from the EU. All hotels and tour operators thrive on collecting details of their guests. Unlike earlier, now Explicit consent would be required to utilize such data.

Hotels in the future won’t be able to use simple, general statements or links to other pages to collect data. They will have to be explicit and clear on how the data would be used. It would need to be upfront and clearly presented.

This will thus have a big impact on user experience design, in digital marketing campaigns or loyalty programs.

The questions you need to ask

  • With the introduction of GDPR, are you aware how the laws will impact the way in which your hotel / tourism business operates?
  • Whether you are based in Africa, Asia, Australia or North America, are you aware that the laws could influence your ability to collect data and attract guests from the EU?
  • The Impact on your ability to use digital marketing in the current format would need to be greatly modified? Are you ready, and do the people tasked with these activities aware of the importance and need for compliance?
  • Non-compliance or breach can cost you heavily, is your organization aware?

Everyone in the hospitality industry has the potential to be impacted in some way by GDPR, regardless of size, or location. It is those business that move to understand the law and become compliant today, that will see them succeed in the new data privacy world of tomorrow.


Sunil Mohal
Sunil Mohal is an ITIL® Expert, engaged in assisting organizations in the area of training and certification for almost 30 years. From setting up and managing captive support centres involving a few thousand systems to supporting global organizations with hundreds of thousands of employees in fulfilling their training needs, Sunil has seen technology and its use and misuse from close quarters.