Seven Steps to Becoming GDPR Compliant Before May 25


With less than a month to go until the General Data Protection Regulation (GDPR) goes into effect, hoteliers are running out of time to prepare for the European Union’s new privacy rules. If they haven’t already, hoteliers must now take steps to assess their property’s current data gathering process and find out which areas the hotel needs to focus on. The following seven steps provide an action plan to guide hotels through the process of becoming GDPR compliant.

1. Educate hotel employees on GDPR compliance and what it means for the property.

In essence, GDPR was brought into effect to strengthen and unify data protection for all individuals within the European Union (EU). Approved by the European Parliament, the Council of the European Union, and the European Commission, GDPR will become enforceable across the 28 member states on May 25, 2018.


GDPR applies to any organization or business collecting data on EU citizens, but the nature of hotels—and the industry’s various data-holding sources such as OTAs and PMS systems—escalates the regulation for travel and hospitality companies.

2. Complete an audit of a hotel’s current data gathering process.

All data about EU citizens are covered under the GDPR. This includes both guests and employees. Review current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation. In addition, document what personal, sensitive, and genetic data the hotel hold as well as where it came from and with whom it is shared. Hotels may need to organize an information audit.

3. Assign a data protection officer (DPO).

Designate someone to take responsibility for data protection compliance and assess where this role will sit within a hotel or hospitality company’s structure and governance arrangements. Seek guidance from the hotel’s counsel as to whether appointing a data protection officer (DPO) is required under GDPR. For hotels and hospitality companies handling large amounts of guest data, a DPO is almost certainly required.

4. Develop a map for inbound and outbound data gathering.

GDPR covers activity happening within the EU or data processing by organizations based in the EU. When an EU citizen travels outside the EU, their activities outside the EU are no longer protected by the GDPR unless the organization processing the data is based in the EU.

However, a booking process that happens between a person in the EU and a hotel outside the EU is considered covered by GDPR. So, hotels outside the EU do collect data that is covered by the GDPR as part of their online reservation process. This data needs to be protected with the appropriate safeguards dictated above. And each location where data is stored should be mapped out with a plan on how to address the rights request for data in that location.

5. Verify data processing agreements (DPAs) with third-party vendors.

All the rules that hotels must follow also apply to the software they use. If a hotel uses a product to process its data, that product must adhere to all the same obligations as the property. Every single vendor who receives personal data from a hotel must share a data processing agreement (DPA) with the hotelier to confirm that the vendor is compliant with GDPR rules. The DPA must dictate the purposes for which the processor is processing the data.

6. Upgrade the hotel’s current technology for optimized security.

Encryption is one of many options available to protect data, but it is not specifically required by GDPR rules. Most major cloud service providers and many other companies offer GDPR-compliant systems.

7. Communicate updated privacy policies with hotel guests.

Hoteliers may need to speak with customers at check-in if explicit consent is required for any forms of data collection that require it, such as consent to marketing communications. Customers, employees, or anyone whose personal data is stored at a hotel may request that their data be erased. They can also ask for a copy of all of their data (under the right to data portability) or for their data to be corrected. The GDPR requires companies to answer these requests within one month. This period can be extended under exceptional circumstances by requesting another month.

In regards to collecting data from a child, hoteliers should start thinking now about whether they need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity. Best practice is to avoid collecting and storing data about children unless it is legally required or absolutely essential for handling a reservation.


About the Author
Alexander Shashou is the co-founder and president of ALICE, a fully integrated operations platform for the hospitality industry, uniting back-of-house service optimization with front-of-house guest experience management and messaging. ALICE’s technology suite brings together the hotel front desk, concierge, housekeeping, and maintenance teams, and connects hotel guests to their hotel with a mobile app and SMS. More on GDPR compliance from ALICE here

Previous articleMarch 2018 Rate Peak Drives Profit Growth for Full-Service U.S. Hotels
Next articleKimpton Lorien in Alexandria Completes $2.51 Million Redesign
Alex Shashou is the co-founder and president of ALICE. Since founding ALICE in 2013, the startup has raised a total of $39 million, building a team of over 100 and a global customer base of 2,000+ hotels.