On May 25th 2018, the General Data Protection Regulation (GDPR) was introduced, forcing every business within the European Union (EU) to comply with strict new data laws. In fact, this was the biggest overhaul of digital privacy rules since the introduction of the Data Protection Act in 1998.

So, why the fuss, you might ask – particularly if your business is based in Australia? Surely, being – literally – miles from the GDPR means you needn’t pay attention to the new regulation?

Not quite. In fact, as an Australian business operating in the hospitality industry, you’ll almost certainly have to comply with the GDPR.

Why does the GDPR apply to businesses outside the EU?

If you’re a hotel or hostel operator outside the EU and without a physical presence in that region, you’ll still have to abide by the GDPR if:

  • you offer goods or services to guests who are from the EU (they’re known affectionately as ‘data subjects’); and/or
  • you’re monitoring the behaviour of those EU citizens via data capture.

Now, chances are, you’ll have several guests arrive each year whose nationality resides within the EU. You may also collect email addresses and names of such people if they register on your website for online booking or news about your establishment. Sound like your business? Don’t panic – here’s the most common “I’m-not-in-the-EU-but-I-need-to-comply” GDPR questions – answered!

What kind of data do I need to be careful with?

It goes without saying that you need to be careful with all of your guests’ data, but there are certain elements on which the GDPR places a tight focus. This typically relates to ‘personal data’, which is information about an identifiable person. It could be their name, email address, phone number or booking reference – even their IP address. Basically, anything that can uniquely identify them.

However, the GDPR is particularly interested in sensitive data, which some hospitality businesses may store. This includes:

  • health status;
  • sexual orientation;
  • biometric data (for instance, if used for opening room doors); and
  • trade union memberships.

Genetic data, political opinions and religious beliefs also fall within the above category but are less likely to be stored by hospitality businesses.

Does this impact the hospitality software I can use?


If you’re using outdated software or an old online booking system, for instance, it may not provide adequate protection for the personal data it stores. Speak to your vendor about their data processing agreement and find out how they comply – or intend to comply with – the GDPR.

The best vendors of hotel property management software will answer these questions honestly and be able to demonstrate how seriously their system takes data privacy.

How does this affect my staff?

Your staff will deal with personal data on a daily basis. For that reason, they’ll need to be aware of the GDPR and its implications for their roles. No one expects hotel staff to know every nitty-gritty detail about the regulation, but they should certainly operate with a data privacy-first mindset.

The buck usually stops with the managers of departments and the business owner, therefore the heads of marketing, revenue managers and general managers in your business should be given ample opportunity to learn about the GDPR, how it impacts their work and that of their staff. This is all part of proper management.

The more you invest in training for this stuff, the less likely you are to have a team that inadvertently mistreats guest data.

How can I prove to my guests that I take their data privacy seriously?

Start with your website. It should feature a dedicated data privacy policy (these are usually found in the footer) and forced acceptance of your terms and conditions for data usage. However, your privacy notices should be present throughout the online booking process, too, so make sure your booking system vendor can add clear links to them on the portal used by guests.

There’s a lot you can do during check in, too. There’s nothing wrong with reception staff asking guests for their explicit consent for any type of data collection that’s required – particularly if you’re running a loyalty program.

What happens if I don’t comply?

We’re not big fans of leaving blog posts on a negative note, but there really is no getting away from the size of the fines imposed by the EU for non-compliance with the GDPR. If you’re found guilty of this, you could face a fine of up to 4% of annual global turnover, or €20 million (whichever is highest).

Thankfully, GDPR compliance is largely down to common sense. And, if you’re unsure, bring in an expert for some GDPR training and advice – it’ll be a very worthwhile investment.

CMS Hospitality holds over 30 years of experience in delivering hospitality software solutions. GuestCentrix offers the most complete solution in hospitality software, whether you’re running a hotel, a resort or a hostel. Our highly experienced support and installations team holds a unique understanding of the hospitality industry and will aim to provide software that suits your property’s needs.

Call us today at (+61) 2 9440 9711, or email us at sales@cmshospitality.com. We will be happy to guide you to the GuestCentrix solution that’s right for you.