Computer and ipad image

Accommodating the GDPR in the Hotel Sector: Demystifying three key issues


Posted by , , , on

Summary: With one month before the GDPR goes live across the EU ushering in an enhanced enforcement regime, there is little time left to prepare. With the deadline of 25 May 2018 in mind, and a general acceptance even by the UK regulator (the ICO) that not every business will be 100% compliant at the outset, this blog offers three tips where last minute gains could be made by operators and investors in the hotel and leisure industry:

When are processing agreements really required?

The willingness of organisations to comply with the GDPR, and the complexity of applying the “controller” and “processor” roles, has resulted in a default position where all third parties tend to be viewed as “processors”. In practice it will not always be obvious whether a third party should be considered to be a controller or a processor. Where a third party is correctly categorised as a processor, Article 28 of the GDPR requires (enhanced) data processing provisions to be in place. If the third party is a controller, however, the requirements are less clear cut and, except in the case of “joint controllers”, the GDPR does not specify any particular matters that must be covered in processing agreements.

In situations where there is a question over the role of your third party, it may be attractive to seek to treat them as a processor as part of a “belt and braces” approach to compliance. This can lead to  unnecessary work; another disadvantage is that practically, many of the clauses that Article 28 require a controller to impose on a processor will not be commercially workable if the third party is also acting as a controller in providing the services.

How can we avoid losing our marketing list?

Electronic marketing is primarily regulated by the ePrivacy Directive, not the GDPR. This multi-layering of regulation consistently causes confusion for businesses.

Many companies will have reviewed their marketing lists and practices during the course of their GDPR preparation. This is likely to be as a result of changes to the definition of “consent”, which is harder to obtain under the new legislation, and must be capable of being demonstrated. Before taking significant decisions regarding marketing lists, it is worth bearing in mind that the Article 29 Working Party (“A29WP”) and the Information Commissioner’s Office (“ICO”) continue to release guidance that is relevant to this area. In particular, the A29WP’s guidelines on consent were finalised earlier this month, and the ICO is in the process of finalising its own guidance on the topic. Without considering fully what these documents say, there is a risk of making decisions about existing marketing databases that cannot be undone. “Re-consenting” is often referred to, but is not necessarily the most attractive option for companies, either legally or commercially.

To further complicate matters, the ePrivacy Directive will soon be replaced by an ePrivacy Regulation, which has not yet been finalised. Drafts of the Regulation have been published; however, companies may need to review their marketing practices again once the legislation is published in its final form.

Privacy policies

The fact that privacy policies are public-facing has made them a priority for many companies. Websites are likely to be a critically important element of a hotel’s communication and guest engagement strategy.  At present there is no “market practice” regarding how these documents should be structured, or the level of detail that they should go in to. What is clear, however, is that privacy policies are living documents, and that the expectations of regulators will necessitate them being revisited on a regular basis. Companies in the hotel and leisure sector rely on increasingly complex data flows to operate, and so a process will need to be in place to ensure that material changes to a company’s practices are reflected. A well-drafted privacy policy should help prevent issues arising down the line. At a time of heightened focus and concern over apparent abuses of trust involving personal data, the clarity and accuracy of privacy policies – and their potential for reassuring and communicating with guests – means the privacy policy is a document worth prioritising.

This site uses cookies to help us manage and improve the website, your browsing experience, and the material/information we send to our subscribers. For further information about cookies, including how to change your browser settings to no longer accept cookies, please view our Privacy Notice. Otherwise we will assume you are OK to continue.