GDPR | Data Protection Acts for Hotels


GDPR (General Data Protection Regulation) is now active in Majority of developed countries with tough fines (4% of Global Turnover & Euro20M) for the offenders. In India a Personal Data Protection Bill has been submitted on 27th July 2018 and is in the process of debate & adoption.

Explosion of the online Apps and consumer preference to online buying has made the Personal Data of citizens and behavior pattern available to providers. Lot of times, as individual data passes through various channels in such cases, it has led to Individual Data being shared or leaked for commercial reasons. In a recent event, a huge fall was observed in Facebook market cap (approx. $ 120 Billion) because of data privacy laws, which resulted in new security expenses (which means possibly earlier it was not safe) by their own admission.


itSimple has been part of multiple discussions at various forums on GDPR / Data Protection Laws & will like to highlight the impact of the GDPR as well as new regulation in India (once in force). In this and subsequent blogs, we shall be sharing the industry wise impact on various sectors starting with the Hospitality Industry (Photo).

Read : Getting Ready for GDPR Compliance in 2018


India is one of the major hubs for the Hospitality. The sector’s total contribution to GDP stood at US$ 208.9 billion (9.6 percent of GDP) in 2016 and (US$ 424.5 billion), 10 percent of GDP in 2027.

GDPR / Data Protections Laws are being adopted by all the leading Hotels across the globe. The reasons why hospitality is one of the most impacted by the Data Protection Acts are:

  1. Hospitality Industry focus on HNI & well to do individuals/ organizations, these citizens are most paranoid about privacy
  2. Hotels have far too many touch points regarding Personal Information (food habits, daily routine, clothing, favorite entertainments, brand choice etc.)
  3. GDPR is applicable to any organization across the globe that stores or processes European Resident data
  4. European citizens have business relations across globe.
  5. One Data Breach is enough to sabotage organization reputation, and especially loss of business
  6. Any decent size hotel has many vendors and lot of individual service providers.
  7. Hotels need the “ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident”. It means they need well designed data protection solution including Backup / Archival solutions and it is required critically across 24×7.

To-do list for all the hotels –

All the leading hotels need to align with the GDPR rules, and sooner or later all the other countries will also follow with their own rulings. So, it is crucial for hotels to create their internal privacy organization and GAD to rebuild.

  1. Visibility Mapping of Personal Information (PI)
  2. For ensuring a structured methodology execution for change implementation, following steps are suggested:
    1. Privacy Organization structure in company
    2. Privacy Objective,
    3. Policies, Processes,
    4. Internal audits,
    5. Regulatory Compliance Intelligence,
    6. contract management,
    7. Purpose bound usage & Access to Personal Information,
    8. Incident management system
    9. Train of staff about the regulation and its importance
  3. Customer Handling
    1. Before soliciting any information from guest take their consent and inform them why the data is needed and what will it be used for?
    2. If a guest request to delete, modify or not provide the data (which is not required by law), honor them as they have the “right to be forgotten” & “Ask back their data”. Hence, it’s the responsibility of hotel people to add some flavors in their hospitality.
    3. Exhaustive Consent framework from in Booking / Check-in forms, from Implicit “take it or leave it” to Explicit “Legal, Notice, Choice and Consent” & “purpose limitation”
    4. Framework for “Ask the data Back”, “Right to be forgotten” for part of personal data.
  4. Vendors
    1. Vendors who are getting PI to be “GDPR Ready”
  5. IT System
    1. Have a comprehensive approach to data protection including data safety, security, protection, retrieval, disposal and discarding aspects.
    2. To ensure the Backup / Archival, Data Leakage Prevention systems are up-to-date

Read : Indian IT Companies are not ready for GDPR Compliance 2018

Generic Methodology for getting organization ready for GDPR compliance.

  1. Introduction to Sponsors / Top Management
  2. Mapping of PI
  3. Information Life Cycle and flow mapping, each one GDPR compliant.
  4. Privacy Organization set up
  5. Purpose, Goals & Structure
  6. Ecosystem and function mapping
  7. Privacy Policies & Processes
  8. The mechanism for Regulatory Compliance & Intelligence
  9. Managing Contracts
  10. Purpose bound usage and access
  11. Incident Management System
  12. Security
  13. Data-centric
  14. Privacy by design
  15. Backup / Archival / Data Availability, 3 safe / secure copies
  16. Training & Awareness
Tags: No tags

Comments are closed.