Get the latest hospitality news and inspiration straight to your inbox. Subscribe to our newsletter.

Wake-up call: Is your hotel registered to process personal data?

Written by:
Written by:
Wake-up call: Is your hotel registered to process personal data?

If you hold personal data relating to your guests, you could fall foul of the law if you’re not registered to do so. Alex Meloy explains

The problem
Hotels collect a large amount of personal data in relation to their guests, which they use to make bookings, take payments and send marketing messages to those guests.

Personal data is essentially any information about an individual that can be used to identify them, whether on its own or in combination with other information.

Depending on the extent of the data processing undertaken, a hotel may be required to register as a data controller (essentially, the custodian of the data) with the Information Commissioner’s Office (ICO). However, there is a tendency for hotels to rely on guidance put out by industry bodies with regards to the obligation to register. While the guidance is well intended, there is often a failure to understand that nuances in individual practices can have a significant effect on the need to register.

The law
UK data protection law is contained primarily in the Data Protection Act 1998 and the Privacy and Electronic Communications (EC Directive) Regulations 2003.

The act requires all data controllers to register with the ICO unless exempt. Failure to do so is a criminal offence. The ICO also has the power to issue fines of up to £500,000 and to take other enforcement action.

Expert advice
Whether you need to register depends on numerous factors; there is no one size fits all.

The ICO’s website features a useful self-assessment tool, which asks a series of yes/no questions about the processing activities of a business and indicates whether registration is required. However, this tool shouldn’t be relied on in isolation. In particular, it doesn’t take into account certain exemptions that a hotel might be able to rely on to avoid registration. The most relevant exemption is for hotels that only use personal data for so-called ‘core business purposes’, which boil down to the types of processing a business would struggle to operate without – ie, processing for the purposes of:

  • Staff administration
  • Advertising, marketing and public relations
  • Accounts and record keeping essential for the operation of the business (such as processing a customer’s billing information).

If processing is limited to these activities, then registration may not be necessary. However, conditions apply. For example, the exemptions don’t apply if personal data is kept for longer than necessary or is disclosed without consent to third parties not involved in the specified processing activity.

Furthermore, there’s no exemption if a business is marketing someone else’s goods and services or selling customer lists to third parties, or if it engages credit reference agencies to credit check customers who are individuals.

Luckily, there is a useful rule of thumb that is particularly relevant to hotel businesses. If a hotel uses CCTV on site for crime prevention purposes (whether in the hotel itself or perhaps in the car park), then registration is mandatory. Given the ubiquity of CCTV in today’s world, and particularly in the hotel business, the answer is almost certainly going to be yes. However, it’s a question that is often overlooked, so it’s important to keep it in mind.


  • Is CCTV used on site for crime prevention purposes? If so, register.
  • If not, is processing limited to core business purposes? If so, do any of the processing activities disapply the exemption? If so, register.
  • If in doubt, register – it’s straightforward and relatively inexpensive.


It is a criminal offence not to register when required to do so. There’s also the possibility of bad publicity, which can affect the trust that customers place in your business.

When deciding whether to register, you should take the time to review your data protection practices generally. Registration is the beginning of compliance, not the end. With the new General Data Protection Regulation bringing in a stricter regime from mid-2018, it makes sense to get your house (or hotel) in order now.


Alex Meloy is an associate solicitor in the intellectual property and commercial team at London law firm Howard Kennedy LLP

Start the discussion

Sign in to comment or register new account

Start the working day with

The Caterer’s free breakfast briefing email

Sign up now for:

  • The latest exclusives from across the industry
  • Innovations, new openings, business news and practical advice
  • The latest product innovations and supplier offers
Sign up for free