GDPR – what is this?

General Data Protection Regulation – a new inbox irritation or serious business?

This is a regulation in EU (European union) law on data protection and privacy with all individuals with the European Union. It aims primarily to give control to natural persons over their personal data.

  • In essence businesses must have processes in place to handle clients or guests personal data.
  • Data such as payment information, names, passport and ID numbers, addresses, emails and contact numbers must be stored using the highest possible privacy settings by default
  • By applying the above principle, none of this data is publicly available without explicit consent and cannot be used to identify a subject (person) without additional information stored separately.
  • No personal data may be processed unless expressed permission have been granted through opt-in consent form the data’s owner
  • Businesses must be able to clearly disclosed what data is being collected and how, why, how its stored and if it is being shared to third parties.
  • Users/persons have the right to request a portable copy of the data collected by businesses in a common format, and have the right to have their data erased under certain circumstances.
  • Companies who’s core activities centre around regular processing of personal data are required to employ/appoint a DPO (data protection officer)
  • Business must report data breaches within 72 hours if they have an adverse effect on user privacy.


Most companies, including accommodation suppliers have vast databases of guest history that contain sensitive information such as emails, contact numbers, credit card, passport or ID numbers and names and addresses. One must simply have a process in place to ensure this information is safeguarded from anything or anyone outside the business, and employees must sign agreements as part of their contracts, committing to the data privacy rules in the business. Secondly one should have a an internal procedure in place to safely encrypt and store the info mentioned with only the DPO nominated employee to have access.  Just google and you can find many examples of aforementioned procedure.

All communication to guest history such as emailed specials, tele-sales and newsletter distribution must all have an opt-out choice to the contacted party.

Lastly your website & email footers should clearly indicate a link to your company’s privacy policy (which one again can google and find many templates)

Be careful as this law can be enforced as its a regulation and doesn’t need to be adopted into national governments through legislation as its directly binding and applicable

More reading is always encouraged and we hope this is an end to those annoying tele-sale agents offering mobile deals or insurance!

We hope this helped a bit, as most of ‘us’ have been in compliance partially already for years.

Bye for now





Filling our day

What keep us so busy? Let’s ask what is revenue management is?: selling the right room, at the right time, at the right price to the right client (through the right channel). In essence qualifying … Read more