What is GDPR?
GDPR (General Data Protection Regulation) is a EU law concerning data privacy and security, widely considered the most stringent data protection regulation globally. The primary goal of the GDPR is to protect individuals’ rights to privacy and data security.
- Application Timeline: The GDPR officially came into force in 2016 after being passed by the European Parliament. All organizations were required to be fully compliant starting May 25, 2018.
- Global Scope: The law applies if an organization – even if it is not based in the EU – processes the personal data of EU citizens or residents, or offers goods and services to them. This gives the law a broad global reach.
- Penalties: Penalties for non-compliance are extremely high, featuring two tiers of maximum fines: €20 million, or 4% of annual global turnover (whichever amount is greater). Furthermore, data subjects have the right to claim compensation for damages.
Does GDPR apply to Holiday Rental Owners?
Yes, it does. The GDPR applies to your organization, even if you are not based in the EU, if you:
- Process the personal data of EU citizens or residents.
- Offer goods or services to those individuals.
In the accommodation industry, “offering services” and “processing personal data” are inevitable actions once a booking request is received.
- Personal data includes names, email addresses, location information, and other details necessary for a reservation.
- Data processing includes any operation performed on that data, such as collection, recording, organization, storage, or use.
Therefore, if an accommodation provider in Asia, the Americas, or any other region receives a booking request or collects information via their website from someone located in the EU (for example, a German or Italian tourist), that establishment must immediately comply with the core principles of the GDPR.
Key GDPR principles for hosts
When you process data, you have to do so according to seven protection and accountability principles:
1. Lawful, fair, and transparent processing
You must have a clear legal basis for collecting and processing guest data. For the mandatory guest register, the legal basis is a “legal obligation” under the Immigration (Hotel Records) Order 1972. For any non-mandatory data (e.g., for marketing), you’ll need the guest’s explicit consent.
Be transparent: Inform guests about exactly what personal data you are collecting and why. A privacy policy posted on your website or booking page is an effective way to do this.
2. Purpose limitation
You can only use guest data for the specific, legitimate purpose for which you collected it. Example: You can use a guest’s email address to send check-in instructions for their booking. You cannot use it to send marketing emails unless the guest has given you separate, explicit consent to do so.
3. Data minimization
Collect only the information that is strictly necessary.
- Guest register: The legal minimum is limited to a guest’s name and nationality. You do not need to record their home address or contact number unless you have a separate, valid reason for it.
- Booking information: You will also need information required for the booking process, such as contact and payment details.
4. Accuracy
Ensure the data you hold is accurate and up to date. It is good practice to confirm guest details upon their arrival.
5. Storage limitation
You must not keep personal data for longer than necessary.
- Guest register: You are legally required to keep guest register details for at least 12 months. After this period, you must securely delete or destroy the records.
- Other data: For other information, like payment details, you should only retain it as long as necessary to process the transaction.
6. Integrity and confidentiality
Protect the data from unauthorised access, loss, or theft.
- Digital records: If you use an electronic system, it should be secure, for example, by using strong passwords and encryption.
- Physical records: Paper guest books and documents containing personal information must be stored in a secure, locked location, not left lying around.
7. Accountability
The owner of the accommodation facility acts as the Data Controller and must demonstrate their ability to comply with the GDPR.
- Security Measures: Appropriate technical and organizational measures must be applied to ensure data is processed securely.
- Technical: This includes using two-factor authentication (2FA) on accounts that store data, or contracting with cloud service providers that implement end-to-end encryption.
- Organizational: This involves training staff, adding a data privacy policy to the employee handbook, or restricting access to personal data only to necessary personnel.
- Data Breach Reporting: In the event of a data breach, the Data Controller must notify the data subjects within 72 hours to avoid facing penalties.
Practical steps to ensure compliance with GDPR
1. Register with the ICO
You may need to pay an annual data protection fee to the Information Commissioner’s Office (ICO). Use the ICO’s self-assessment tool to check if you need to register.
2. Create and share a privacy policy
Make your privacy policy easily accessible, for example, on your website or booking confirmation email. It should clearly explain:
- What data you collect and why.
- Your legal basis for collecting it.
- How long you will keep the data.
- How guests can exercise their rights, such as requesting access to or deletion of their data.
3. Manage data securely
- Use a secure, GDPR-compliant property management system if you handle bookings digitally.
- For physical documents, keep them in a locked filing cabinet and shred them when they are no longer needed.
- Never share guest data with third parties without their explicit consent, such as giving a cleaner a guest’s contact information.
4. Understand and action guest rights
Be prepared to handle requests from guests regarding their data. Under GDPR, guests have the right to:
- Access their personal data.
- Request corrections to inaccurate data.
Ask for their data to be erased, subject to the legal retention period for guest registers.