On May 25th, the European Union’s General Data Protection Regulation – GDPR goes into effect. GDPR specifies that customers must explicitly consent for their personal information to be processed and used by the third-party site. This marks a shift towards start building a quality relationship with your Hotel’s guests.

If a customer stays at your Hotel their information cannot be used for marketing purposes or dissemination to third parties without the customer’s written approval.

The good news is that reducing data captured may provide a better experience for customers, both at the time of data collection and throughout the customer journey.

Is your Hotel ready for GDPR?

Are your Hotel ready for GDPR


The GDPR’s right to be informed obligates organizations to state clearly how they plan to use personal data. They must communicate that information in a way that is:

  • concise, transparent, intelligible, and easily accessible
  • written in clear and plain language
  • free of charge

Hotels will have to clearly explain to guests what data they are capturing, why they are capturing it, and who will have access to it.

Data captured in this context includes booking systems and revenue management software.

Today several Hotels use cloud-based systems for relevant consumer transactions.

Hotels will be required to communicate these processes and make sure that technological and organizational measurements it took to meet GDRP requirements.

The key point here is that now is NOT the time to start worrying about capturing relevant data for your Hotel.

Start being transparent about why you are collecting the data, and help your customers understand the value proposition of why you are collecting it.

I have written before about the importance of putting humanness and transparency into context.

Begin with some baby steps. Collect the customer data that you need. Then, with the data, your Hotel has, use it wisely by building better experiences through personalization. This will grow more trust in the relationship which is a key ingredient to long-lasting relationships.


Consent is a principle that builds upon communication.

It means offering individuals real choice and control. Genuine consent should put individuals in charge, build trust and engagement, and enhance your Hotel’s reputation.

Check your Hotels current consent practices. Refresh your Hotel’s consents if they don’t meet the new GDPR standards.

Consent requires a positive opt-in. Don’t use any default consent.

Explicit consent requires a very clear and specific statement of consent. And keep your consent requests separate from other terms and conditions.

Make it easy for consumers to withdraw consent and tell them how.


Managing access to date is a key component of GDPR.

It refers to;

  • Implementing appropriate technical and organizational measures for your Hotel. It’s not enough just to say you implemented the appropriate GPDR process, your Hotel has to show that you considered and integrated data protection.
  • Prevent unauthorized access to date which includes any unauthorized access, accidental and unlawful destruction, loss, alteration, or disclosure of personal data, stored or otherwise processed.
  • Notify the relevant party of a breach within 72 hours of first becoming aware of the breach. Relevant authority and the party data concerns of the breach that is likely to result in a risk for the rights of freedom of individuals must be notified.
  • Maintain impeccable records of data processing activities, including information of those who have access to data.


Even though some US Hotels do not actively pursue European consumers I will advise you to work on being compliant and follow similar principles.

Hotels that actively seek European consumption will be required to be compliant with GDRP. With any type of breach, they will be required to report to a European regulator within 72 hours. Non-compliance is subject to some very stiff fines.

Erase Data

GDPR is invoking the right to be forgotten. This means that the consumer has the right to request that all of the personal information that your Hotel possesses is erased. And the consumer is not required to tell why.

Specifically, your Hotel must erase all their data wherever it exists: in files, databases, replicated copies, backup copies, and archived copies too. And your Hotel also has to demonstrably prove that you’ve done so. And if you’ve ever shared this person’s data with another organization, it’s on you to contact them and convey the erasure demand.


Profiling is defined by more than just the collection of personal data; it is the use of that data to evaluate certain aspects related to the individual. The purpose is to predict the individual’s behavior and make decisions regarding it. In the context of your Hotel email marketing, it can be the choice to send a particular targeted email campaign instead of another one.

There are three important aspects of profiling;

  • It implies an automated form of processing
  • It is carried out on personal data
  • The purpose of it is to evaluate certain personal aspects of a natural person to predict their behavior and take decisions regarding it

Hotels will be required to;

  • Give individuals information about the processing
  • Introduce simple ways for them to request human intervention or challenge a decision
  • Carry out regular checks to make sure that your systems are working as intended

Sensitive data

Personal data relating to a living individual who can be identified;

  • From that date, or;
  • From those data and other information which is in the possession of, or is likely to come in possession of, the data controller;
  • And includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual

Sensitive data consist of;

  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic data
  • Biometric data
  • Data concerning health
  • Data concerning a natural person’s sex life or sexual orientation


Marketing under the GDPR (whether postal, phone, e-mail, SMS or any other form of marketing) is regulated exactly like any other data processing activity.

Also, as a Hotel Marketer, you are concerned with making the most effective use of Social Media tools or platforms such as Facebook, LinkedIn, Twitter, Google+, Pinterest, WhatsApp, Snapchat, or Instagram.

The last thing your Hotel is likely to worry about is having your followers, friends, or connections actually providing you with consent to store or use their data.

You will be pleased to hear that as far as consent and data use is concerned, there will be effectively covered by the terms and conditions and privacy notices of each of these Social networks.

Due to the existing legislation is known as EU-US Privacy Shield, US organizations (including Social Media network providers) can self-certify and commit to this framework agreement which underpins their protection of EU citizen data entrusted to them.

In short, this means that both your Hotel and your Social Media audience agree to the terms of the tools you use. GDPR will also require them to have an accountable EU representative that can be held to account for the GDPR compliance of the organization within Europe.

There are three key areas that Hotel marketers need to concentrate on data permission, data access, and data focus.

And two main areas will be impacted by a Hotel Marketing perspective;

  • Email marketing

Ensuring users opt-in to your Hotels email marketing campaigns and give consent to be contacted will be a requirement, rather than automatically adding them to your email list and then waiting for them to opt-out.

  • Marketing automation

Hotels need to make sure that every name in their CRM database and every email in the automation system has given proper permission to market to them. And, if someone opts out of an automated email sequence, that the two systems are updated to ensure that no further emails are sent.

Data transfer outside the European Union (EU)

The GDPR imposes restrictions on the transfer of personal data outside the European Union, to third countries or international organizations.

These restrictions are in place to ensure that the level of protection of individuals afforded by the GDPR is not undermined.

Hotels need to understand that GDPR will apply when organizations use online IT services, cloud-based services, remote access services, or global HR databases among others will often need to implement lawful data transfer mechanisms.

To prepare for the requirements of the GDPR, Hotel should:

  • Review their existing and planned business operations;
  • Identify all circumstances in which personal data are transferred to recipients located outside the European Economic Area (EEA); and
  • Ensure that, for each such transfer, the organization has in place a data transfer mechanism that complies with the requirements of the GDPR.


The May 25 GDPR Compliance dateline is here very soon. Make sure your Hotel is compliant.

As a Social Media Consultant, I see this shift as extremely valuable where the focus be on humanness and transparency.

We are again starting to value the quality of the relationships. Consumers will be in control of their information, also, to already be in control of your Hotels brand message.

Reputation Management will become even more important for Hotels.

It is also wise to consult with legal Hotel experts that specialize in GPDR. They can help your Hotel with write consent forms with the appropriate terminology.

As I started with this is NOT the time to start worry. Start with baby step actions and build a solid framework that supports this new valuable shift for all of us.

With any major shift, we all will run into pain points and challenges. Looking at this shift long-term we will all see a new landscape beyond the disruptions and Social Media clutter.

Focus on implementing new key strategies to build quality relationships with customers and Hotel guests.

Take actions to aid your Hotels GDPR readiness, but even more important than that, do so to establish trust and build a stronger relationship with your consumers. This is an important step towards providing your Hotel’s consumers with truly delightful experiences.

If your Hotel needs help to put it all together then make sure to let us know.

We are in this together!

I need to let you all know that we are in on this together.  If you need to vent, talk, cry, or just have some to talk with then I am here listening. Since I am working part-time at the local Kroger, I will to the best of my ability to work it out around my schedule.

But you can reach me here:

Email: hotelblogger@aremorch.com

LinkedIn Profile

LinkedIn Page

Also, join us at our Facebook Group – Hotel Social Media Community

We will get through this unprecedented event together! #hotelstrong #hospitalitystrong

For any specific information on COVID-19, I recommend go to CDCWHOAHLAAAHOA, and HSMAI. Also, follow information from your local authorities.


We are starting to reopen some hotels again (Yay!!!). Make sure you follow their guidelines and say THANK YOU to those that now show a unique spirit to serve, and helps us all get through this!! #hotelstrong #hospitalitystrong

About Are Morch

Hi, I am Are Morch. Your Digital Transformation Coach and Customer Experience Expert specializes in creating effective digital customer experience offer for hotels while growing and scale customer acquisition and revenue.

Get more from Are on Facebook | Twitter | LinkedIn | Pinterest | InstagramPodcast