Get the latest hospitality news and inspiration straight to your inbox. Subscribe to our newsletter.

How to… survive the GDPR’s strict new data rules

Written by:
Written by:
How to… survive the GDPR’s strict new data rules

Businesses should ready themselves now for a host of requests from guests asking how they are using their data, says Sarah Williamson


Respect for guest privacy has always played a crucial part in the success of the hospitality industry, but in today’s hyper-connected world that includes protecting your guests’ precious personal data.

Innovations such as algorithm-led online review systems have already placed data centre stage in recent years, but the competing requirements of guest privacy set against the need to maintain long-term relationships 
and secure repeat business will become even more complicated to navigate with the introduction of the EU’s General Data Protection Regulation (GDPR).

The GDPR, which is coming into force from 25 May 2018, aims to give new data rights 
to individuals, principally by fundamentally altering the way businesses approach the 
collection, storage and manipulation of data, and requiring companies to embed data 
privacy into their processes and systems.

These requirements will create a compliance burden for any organisations processing personal data and will have major implications for hotels and the hospitality sector.

Failure to comply will be expensive, with fines of up to 4% of annual global turnover or €20m (£18m), whichever is the greater.


How should a business get its data ready for the General Data Protection Regulation?

Find the gaps
For companies unsure of 
their preparations for GDPR, 
a gap and risk analysis service is 
a great first initiative. An analysis can evaluate current data protection procedures and compliance, and assess these against the requirements under GDPR in order to identify gaps. These audits can be crucial 
in helping an organisation 
identify the biggest threat in terms of financial and reputational risk.

Raise awareness 
across all departments
The focus on fines may 
have brought GDPR to the 
board and marketing department’s attention, but everyone 
within the business needs 
to know how they should be 
handling information and data access requests when they 
come into the business.

Be ready for a 
customer backlash
It is not only business awareness that needs to be 
dealt with. Consumer rights 
groups are likely to be campaigning to let the public know of the new rights and 
of companies’ responsibilities. 
The Information Commissioner’s Office is also expected to launch 
a major PR offensive in early 2018, alerting consumers to their new rights as “data subjects”.

A flood of data subject requests is possible, be it access requests from current or former employees, or requests from customers wanting to see what information
is held about them or to have
it removed. To minimise any resulting disruption, you need to know where data is held and to have processes in place to quickly access, amend and remove it as necessary. You need to be ready 
to respond to enquiries and 
formal requests in a way that builds trust. And, conversely, 
to ensure that distrust doesn’t lead to a haemorrhaging of 
usable data from your business.

Improve your
 data transparency
Businesses need to be 
more prescriptive and detailed
in how and why they manipulate data, and also in what data they capture. They will also need 
to offer evidence of this.

For instance, at media giant 
Sky, reporting and recording has already become more focused 
in readiness for GDPR. The company is tagging data with
time and date stamps as well 
as attaching what are called “trackers and gatekeepers” on certain activities so that they can capture the evidence of a change in the way the data is used.

Prepare for another 
‘TripAdvisor effect’
Some businesses are 
making a comparison between GDPR and the disruptive effect that price comparison sites or review sites such as TripAdvisor 
and Amazon have had on the 
travel and retail industries.

These innovations forced 
a shift in the balance of power between marketing departments and customers when it came 
to the way the brand was seen, defined and able to market and price its products. GDPR will force yet another shift in power from companies to consumers. Trying to stand in the way of this disruptive juggernaut is futile.

Instead, as they have 
with TripAdvisor and the like, businesses must look for ways 
to adapt and take advantage 
of the new world of marketing, data and consumer control.

Sarah Williamson is a partner at Boyes Turner

Videos from The Caterer archives

Are you looking for a new role? See all the current hospitality vacancies available with The Caterer Jobs

Start the discussion

Sign in to comment or register new account

Start the working day with

The Caterer’s free breakfast briefing email

Sign up now for:

  • The latest exclusives from across the industry
  • Innovations, new openings, business news and practical advice
  • The latest product innovations and supplier offers
Sign up for free