Choose your topics

The GRC Trends to Look Out for in 2024

Our GRC experts at SureCloud share their 2024 predictions for the world of governance, risk and compliance.

The Top 5 Challenges of Third-Party Risk Management

With the supply chain now seen as a legitimate attack path, what can your organization do? Let’s explore 5 challenges of TPRM and how to overcome them.

Third-Party Risk Management GRC
What is Third-Party Risk Management?

What is third-party risk management and how should you approach it? Find out in this post.

Third-Party Risk Management GRC
The Top 4 Challenges of Risk Management

What are the top four challenges of risk management today and how can you overcome them? Find out in this post from SureCloud.

Third-Party Risk Management GRC
Transform Compliance into Your Competitive Advantage

In GRC, compliance is often viewed as a cost that makes it harder to pursue growth. Here's how to make it your competitive advantage.

Compliance Management GRC
Questions You Should Ask when Preparing For Your First Pen Test

Understand the processes that you and your chosen pentest provider will travel through for your first pen test, from the initial point to the day the test starts.

Penetration Testing
TPRM Blog 6-Writing Clear Questions

Our GRC Practice Director explores the importance of clear communication and how to achieve it in your third party questionnaires. Read more here.

Third-Party Risk Management GRC
The Simple Way to Combat Phishing

SureCloud Cybersecurity Practice Director Luke Potter shares his tip to stay ahead of attackers phishing for your downfall.

Penetration Testing
See Yourself in Cyber With Janhavi Deshpande

See Yourself in Cyber With Janhavi Deshpande - SureCloud

Cyber Security
Vector (7)
Data Privacy, GRC

Simple steps hotels can take to work towards GDPR Compliance

Simple steps hotels can take to work towards GDPR Compliance
Written by

Alex Hollis

Published on

1 Aug 2019

Simple steps hotels can take to work towards GDPR Compliance


Our GRC Solutions Director, Alex Hollis, was recently approached by Click. to provide commentary for a headline article, “Protecting Your Business Against Data Breaches.”

The article looked into ‘Hospitality Technology’s 2017 Lodging Technology Study,’ which showed that 74% of hotels don’t have proper data protection measures in place. Click. wanted some expert knowledge into what properties can do to protect their guest’s data.

Here Alex outlines the amount of data that can be taken during a guest’s stay and the importance of it being protected: 

Booking process

Hotels share much of the same data handling issues as the broader hospitality sector. They must take reservations including name, phone numbers, addresses, card details, and even IP address information when booking online. This is further compounded by the nature of booking agents (,, etc.) who may process the data on behalf of the hotel passing on the reservation details. The view of whether these agents and the hotels are controllers or processes under GDPR is a minefield.

International hotels could argue they are exempt from GDPR as the hotel is based outside of the EU, however, with the nature of booking sites, etc, the transaction capturing the personal data can occur targeted at an EU citizen and therefore would fall under GDPR.

Checking in

When the guest arrives, after passing under the CCTV cameras and potential ANPR cameras on the car-park, there is often the checking-in process whereby additional personal information is captured and cards swiped for incidentals. There may also be the disclosure of medical conditions and disabilities as part of the special requests, which would be deemed sensitive information. Documents are printed and signed. This creates a number of articles laden with personal data both in electronic and paper formats, that must be shown to be protected.

During your stay

During the stay, there may be additional purchases associated with the room, some of which may be considered private to the individual.

Checking out

When the guest leaves, there is then the question of how long the guest records are retained. My experience is that hotels legacy front desk software will keep guest information, under the purpose of improving future guest experience which would need explicit consent from the guest in order to be lawful.

GDPR Cases

Most of the cases that are being brought forward around GDPR are from unhappy customers or ex-employees, and as such, the hospitality industry is not going to be at the forefront of GDPR case law as it comes through the courts.

The steps properties can take to protect their guest’s data:

1. Understanding what data you have, and the processes involved. This is a huge step which involves understanding fully what you are doing.

2. Treat personal data with more respect for its value, more like money, reduce the places that you’re storing it and then protect those places.

3. Reducing the number of systems where the data is duplicated (paper copies etc.)

4. Ensure that the critical areas are secure with encryption and good IT security best practices.

5. Make sure that you’re covered from a legal compliance standpoint that you are lawful to continue processing the data under the recent GDPR changes, hanging on to personal data because it might be useful is not OK anymore and could land you in hot water.

Learn about our Data Privacy Management solutions here to see how we can help.