Are you ready for new EU data regulations?

8 tips on getting ready for the 2018
EU data regulations as a hotelier

By Antoine Buhl, CTO, Availpro


As a hotelier, you no doubt engage in online marketing and handle card payments. As a result, the EU’s General Data Protection Regulation (GDPR) affects you more than you’d imagine.

The clock is actually ticking for hoteliers to get data security tightened. GDPR begins in just over 12 months – and it is the most important change in data privacy regulation in 20 years, as it replaces the outdated Data Protection Directive 95/46/EC.

GDPR takes effect on May 25, 2018, although was approved back in 2016. It has been designed to “harmonise data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy” according to the official website,

Now, the very name of GDPR may cause you to switch off – yet the ramifications of not adhering to the regulations certainly won’t.

Here are the key issues and strategies that hoteliers must bear in mind, in order to meet the May 2018 deadline with peace of mind.


What you need to know about GDPR…


  1. Take note of the new penalty

Now this is where hotels really have to sit up and pay attention. Under the old rules, fines for a data breach were based on your overall profit. But under GDPR, they will be based on turnover – and as much as up to 4% of global annual turnover or €20 million.

  1. Don’t think it’s just about Europe

The GDPR not only applies to organisations in the EU, as it also applies to organisations outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. So it applies to any hotel that processes and holds the personal data of data subjects residing in the EU, no matter where that particular hotel is based

  1. Data breach notification

Under GDPR, hotels will have just 72 hours to notify that a data breach, that could pose a risk to individuals, such as credit card details being stolen, has taken place. Those individuals must be notified, as well as your country’s governing data body. For example, for hotels in the UK this would be the Information Commissioner’s Office. Otherwise, expect a hefty penalty fine.


… And how to prepare


  1. Appoint a Data Protection Officer

Designate an existing employee in your hotel or hire consultants to undertake the role. Data tracking is part of GDPR compliance.

  1. Ask for guest permission

With GDPR, there will be a greater emphasis on hotels ensuring customers are aware of what they’ve signed up for. Marketing is key for hotels today, whether it’s promoting sales, new hotel openings or requesting feedback.

  1. Identify where you store data

If you hold data on individuals, ensure it was gained with the data subject’s full informed consent. Check exactly where you hold this data too, across your PMS, CRS, Channel Manager and so on – and even on paper. Check the policy of every solution you use to store personal data. Note that GDPR also restricts the length of time data can be legitimately held before permission is required to retain the data, partly because of the growing threat of cybercrime.

  1. Set up a data protection strategy

All hotels need security procedures from hackers, but the threat is ever changing. The key is to implement a data protection strategy, as with a plan in place you will know where your immediate threats are and how to deal with them and future changes.

  1. Reassure your guests

GDPR goes some way towards helping to reassure guests their details are now more secure; it could also help you grow direct bookings. Tell your guests about GDPR, what you’re doing and why their personal data has never been safer. Communicating this may earn their loyalty for years to come – until the next time the EU updates the regulations…


The data security expert: Viewpoint from Richard Bristow, director at Tamite Secure IT

In our experience few hotels, individuals or chains, have heard of GDPR. A recent meeting of industry leaders showed a hand full of responses to the ‘Have you any plans to implement GDPR’ question. Hotels are not alone in lacking preparation for GDPR but they do need to be one of the leaders because there is so much at stake. In this industry, reputation counts for so much.

The hotel sector is particularly vulnerable to data breaches. The transient nature of the business makes customers and suppliers less focused on data security than on physical security. Hotels represent targets to hackers that have large amounts of financial data. Areas that have been targeted are specifically Point of Sales (POS) systems. These have resulted in large scale loss of funds and data that have inflicted serious financial losses and immense brand damage. Attacks have been targeted at individual properties and to central office locations. Sustained cyber-attacks are the result of a general lack of a Data Protection (DP) software and importantly the lack of business DP strategies.


Antoine Buhl Antoine Buhl – Chief Technology Officer – Availpro

I became an entrepreneur after finishing my studies, and helped set up various start-up companies, including Hypnotizer (video streaming) and PixVillage (peer-to-peer photo sharing). I joined Availpro to develop both platforms and products. I am passionate about building innovative apps, and the processes that lead up to their success.