GDPR One Year Later: What’s Changed and What’s Still To Come for Hotels


The implementation of GDPR (General Data Protection Regulation) in May 2018 has affected every organization that handles the data of anyone residing in the EU—including citizens of the United States who are living abroad. GDPR intends to give consumers more transparency and control over how their data is used and stored, including the right to request their data be deleted.

In the year since the regulation went into effect, it has left many heads spinning in the hospitality industry. GDPR doesn’t just require the property itself to comply—it also mandates that all third-party vendors handling the property’s data do so, as well. This means that should a third-party vendor or partner breach the regulation, the hotel may still be held liable. Fines can be up to 4 percent of a company’s annual global turnover.

The privacy laws also expanded the types of data considered “personal” to include anything by which a person can be identified, either directly or indirectly. This includes names, addresses, photos, financial details, and IP addresses, among other information.

GDPR has prompted many hotels to re-examine their guest privacy practices, such as how they obtain and use guest data gathered through OTAs, or the impacts of sharing data among multiple properties within one management group. Transferring data now must be fully transparent to the consumer, and all of the ways a property uses the data must be explicit. For example, if a traveler agrees to receive a newsletter, they do not, by default, also agree to receive all promotions or correspondences from a property. Properties and their partners must encrypt personal data to protect the consumer’s identity and ensure that appropriate measures are taken to safeguard the integrity of that data. This is a lot to take in and execute for any hospitality business.


The EU measures are just the beginning of widespread consumer data reform. The California Consumer Privacy Act of 2018, which will become enforceable in 2020, guarantees consumers the right to know what personal data is being collected and why and gives them the option to opt out of the sale of their data.

The rollout of privacy laws across the United States could give consumers access to, and the ability to, download their stored data or delete it. Hotels can also expect to see specific opt-in requirements for minors. New Jersey and Oregon are considering similar legislation. Vermont recently passed a law regulating data brokers, and Oregon, Colorado, Arizona, and Virginia have expanded their definition of personal information as well as third-party oversight. The trend is clear—all businesses need to get on board with more stringent privacy policies.

The Benefits That Have Come Out of GDPR

Consumers desire transparency, especially from vendors that are handling their financial data. Even though 65 percent of Americans believe they should control what information is gathered about them, just 9 percent feel they have “a lot of control,” according to Pew Research Center. Full transparency with guests builds confidence in their overall experience with a hospitality company—a valuable starting point for a long-term relationship.

Managing Data Details

Companies that go beyond compliance to become advocates of protecting consumer data will benefit as a variety of measures begin rolling out across the United States and globally.

Hotel companies must ensure that digital details are carefully managed and transparent. Call center agents should follow scripts and have an understanding of exactly what data they must collect so that the data is usable in the future. The need for clean data positions hospitality CRMs as among the most essential platforms for complying with GDPR and future regulations. CRM providers must be equipped with automated processes that guide the gathering and storage of data. Otherwise, that data will not be available for future outreach, such as automated email marketing campaigns. Further, when properties seek to convert an OTA-guest into a direct-booking guest, they must ensure that guest data is gathered in a way that complies with all regulations prior to using it for marketing.

On-site staff should be expertly trained in how to gather guest data properly. Also, since businesses are responsible for breaches that occur via their external vendors, it’s essential for hotels to vet product and service partners more closely than ever before.

Ultimately, the future of hospitality means proceeding with strategies that consider guest data and privacy. Marketing goals and execution tactics must adapt accordingly. With the introduction of AI, in-stay behavior tracking, mobile data access, and more innovations coming down the road, guests’ expectations will be changing, too. Hotels must stay ahead of the curve by embracing GDPR practices.

Trust is at the heart of what the lodging industry is about, and those organizations that seek to cultivate it will find it pays off in the coming years.

Previous articleThe Castell Project Opens Nominations for First Annual Castell Award
Next articleHyatt Adds Lifestyle Division Following Two Roads Acquisition
Kyle Buehner is the CEO of NAVIS, a sales and marketing optimization company for the hospitality industry. Buehner started as the company’s first sales person and is now responsible for all of its business.