GDPR in 3 minutes for hotel marketers [video]

With the General Data Protection Regulation (GDPR) coming into effect tomorrow (25 May 2018), we know that many hotel marketers are wishing for a magical way to ensure their marketing procedures are compliant. So, we searched far and wide for the mystical GDPR Genie, and put together this quick video with all of the advice that he has for marketers who want to make sure that their everyday activities comply with the data protection standards.

Many, if not most, marketers are wringing their hands in anguish at the stricter rules for the handling of personal data the GDPR brings into effect. For smart hotel marketers who want to treat people’s time, attention, and data with the respect it deserves, however, these new regulations are not bad news.

The GDPR isn’t actually all new

From CAN-SPAM in the USA to POPI in South Africa, there are already a multitude of data protection rules that guide the ways marketers can engage with people.

The GDPR is built upon the existing EU Data Protection Directive (DPD), which already encompassed many of the values of the GDPR. However, because the GDPR is a regulation (while the DPD was a directive) EU member states are now bound by it without having to pass any of their own laws.

Does the GDPR apply to my hotel?

If your hotel is in Europe, if you have European guests, if you track the behaviour of people in the EU (with analytics tracking on your website, for example), and even if you might reasonably be considered to be marketing your hotel to EU citizens, the GDPR applies to you.

It makes sure we are marketing to the right people

One of the core principles of the GDPR is transparency. This means that data controllers like accommodation providers have to tell their guests whenever they are collecting and storing their data, and why they are doing so.

Just because you had someone's consent to store their data for one purpose (to send them their bill via email), it doesn't mean you can continue to use that data for other purposes (sending promotional emails). Whenever you will be processing personal data for any reason other than the reason you first gave when you collected it, you should seek people's informed consent, or at the very least let them know that the reason you are storing their data has changed, and give them an opportunity to object.

Hotel marketers not only need to think carefully about what benefit they get from storing the data, but also what a guest or potential guest would get from divulging that information. 

When can my hotel store data?

Guest data: Your hotel probably stores data about guests when they book and check in, including details such as their name and email address.

You might need this data to send them:

Storing this data is necessary for performance of contract, and guests should know you have this data, and why you have it.

Want to keep storing this data after a guest has left? You need to have a clear reason for doing so.

  • You have a legitimate interest in making sure that your services are up to scratch
  • You want to send a post-stay survey asking how they found their stay

It is best practice to let guests know you will be storing their data for this purpose as well.

Sending post-stay surveys gives you a chance to get consent to keep storing data and keep in contact with past guests. This means that:

  • All those carefully crafted emails about your great offerings are less likely to end up in people’s bins
  • And your sender reputation is less likely to be marked as spam.

Plus you get to see your property through your guests’ eyes and gain invaluable insights!


Data collected online: If you are collecting data about visitors to your hotel’s website, all the same rules apply.

When people sign up for your mailing list, or enter their details for a competition in the hopes of getting that free weekend away, they need to know exactly what data you are storing, and what you plan on doing with it.

The GDPR explicitly states that IP addresses and cookies can be used to identify people, and should therefore be considered personal data. This means that if your site uses cookies, you need to ensure that people are aware of this, and why and how you use cookies to track their behaviour or record data.

The GDPR differentiates between people and businesses

The GDPR applies to “any information concerning an identified or identifiable natural person”. This means that the laws apply to information about individual people like you and me, but not to the data relating to “legal persons” like businesses.

This also means that if you need to store information about a travel agency you are listed with, or a business that has booked your meeting venue, for example, you can do so, as long as the data is about the company, not a person.

It guides us to treat each other’s data respectfully

The GDPR encourages data controllers (entities like accommodation providers that store and use other people’s personal data) to handle the data carefully, and gives ordinary people more rights regarding their personal data.

These include:

  • Right to know when and how data will be stored and used
  • Right to request a copy of their data record
  • Right to request that their data record be updated
  • Right to have data about them deleted (also known as the right to be forgotten)
  • Right to opt out of communication at any time

It forces us not to hoard

Under the GDPR, you can only collect personal data under certain circumstances:

  • When you have the person's consent
  • When you have to store their data to perform a contract you have entered into with the person
  • When you have to keep the data for legal reasons
  • When you need the data to protect people
  • When you need the data to perform official tasks, or tasks in the public interest
  • When you have a legitimate interest that requires you to store the data

You are also not allowed to store more data than you need to, or for longer than you need to.

So, no more hoarding data just for the sake of it — it’s time for a spring clean.

The GDPR's requirements for increased transparency and respect for personal data couldn't have come at a better time for the hospitality industry. As the currency of online trust becomes ever more valuable, and the inner workings of businesses are on display for all to see on review sites and through other user-generated content online, transparency is no longer an option, and trying to fight the rising tide of openness is only likely to damage a business's reputation in the long run when its duplicity is inevitably exposed.

Being one of the good guys who wholeheartedly embraces transparency throughout your organisation, from the way you treat your staff to the way you handle guests' data, will stand you in good stead to garner the goodwill of the public, and important brand ambassadors.

Disclaimer: GuestRevu is not a law firm, and the opinions and interpretations of the GDPR expressed in this blog and video should not be taken as legal advice. Rather, it should serve to help you gain a better understanding of the principles of respecting people’s data in your marketing efforts. If you have any questions about how the GDPR should be applied to your particular business, we recommend that you consult an attorney.

Recent Blogs