Table of contents

What is GDPR?

In a nutshell, the General Data Protection Regulation (GDPR) is all about your guests’ privacy rights. Importantly, it is not just relevant for hotels based in the EU but any hotel that processes any data from EU customers. So that means if you would like to collect data from any of the 500 million Europeans on the planet — who also happen to be the most avid travellers — then you need to comply. Sadly, unless you want to play russian roulette with a multi-million Euro fine, there are no shortcuts...

In practice, it means marketing will become more challenging for hotels as explicit consent will be needed from the customer for each marketing purpose. In other words, if you have captured an email for a newsletter, then you have to ask for explicit consent again for the email campaign, and so on. However, that does mean that those who do give consent are likely to be more engaged guests.




What happens if I don’t comply?

GDPR is no warm and fluffy decree from Brussels - it’s all encompassing, aggressive and serious and there are eye-wateringly heavy fines if you don’t comply. How much? Up to €20 million or 4 percent of your annual revenue, or whichever is higher…

Key takeaways for hotels

Change your mindset

Consider GDPR as an unprecedented opportunity to rebase your approach to data and wipe the slate clean. Start thinking about customer data in a different way. Instead of asking for information for the sake of it, frame the requirement for any customer data point as dependent on some value you can offer them for that information. If you can’t offer value or a service based on that information, then you probably should not be asking for it.

From there it becomes clear that you then need tools that allow you to actually offer services to customers in exchange for any data. For a hotel, this means you need a flexible PMS that allows third party service providers to plug into directly. In technical terms that means you need a cloud-based PMS with an open API that service providers are increasingly integrating with.


An ecosystem of disruptive solutions exists to plug into your hotel via Mews


The ‘Right of Access’ and the ‘Right to Rectify/Delete’ parts are the most alarming and critical features of GDPR. It means that anybody whose data is in your system has the right to obtain confirmation of whether you have that data, where it is and be able to delete it. So if a guest wants to find out if a hotel has information about them stored away, the hotel has to be able to produce that information and potentially modify it.


Why open platforms do it better? With today’s pace of technological change, it’s vital for hotels to be plugged  into an ecosystem of products that is constantly evolving and adapting...   CLICK HERE TO LEARN MORE


Many hotels use PMS systems that do not have the ability to recall data of past customers in a way that can tell a customer where that data is stored, what data it is and how it is being used (eg. passed on to third parties) or the ability to delete it. Fragments of data about a specific guest too often lie scattered across multiple profiles that have been created for that same person and stay hidden due to rudimentary PMS search engines that can only filter by surname. If any of this information exists in your system then you have an obligation to be able to show the guest which profiles their information may be stored under. If you cannot communicate all this to your customer with your current solution, it might be the perfect time to review your PMS system.

Mews Commander

The Mews Commander PMS is a cloud-based solution that can instantly answer those data queries


A lot of the small print talks about ‘profiling’ and how you need to explicitly request permission for this. For example, loyalty programmes are, essentially, a way of profiling customers. If you have a guest that has stayed 10 times and you want to offer them a special deal then that is, technically, profiling, albeit legitimate, and you need to ask for explicit permission!

Or does your hotel use location based offerings? That is also profiling and will need both specific consent and the option to undo everything.

It’s retroactive

The GDPR is a complete overhaul of the laws and, if it's old data, then you need to either erase it or get it into compliance.

Growing your team

One of the more onerous requirements of the new law stipulates that there must be a dedicated DPO (Data Protection Officer) at your hotel. Does a small independent hotel need a DPO? Yes and this role will be mandatory for all data controllers. The good news is that you can easily outsource this role to an outside person or firm - there are plenty of entrepreneurs jostling for position to offer these services.

Breach notifications

Hackers are chipping away at the hospitality industry. IHG had its PoS and front desk systems compromised while everyone’s favourite Trump Hotels even had a breach. The list is growing so the new regulations are timely!

Nonetheless, once GDPR comes into force, hotels will not be allowed to keep a hack under wraps. Breaches will need to be reported immediately and the rules say you have 72 hours to comply.

When is the deadline?

The GDPR becomes enforceable on 25 May, 2018. The rules and best practices have not yet been fully defined so interpretations will still remain flexible. However, now is an opportune time to start interviewing your potential data officers and data auditors.

A cloud-based PMS will be the winner

Cloud-based systems will make it significantly easier to comply. Unlike the heavy antiquated systems installed in-house, they offer full real-time visibility of data, real-time data leakage information capabilities (in other words, the ability to spot a leak), real-time visibility of data flows for the customer and an automated system of data removal should the customer wish it.

Be first to take advantage of the new landscape

Why not beat the springtime GDPR scramble with a few early manoeuvres to make your relationship to data more robust? The new laws shouldn't be interpreted as an unfair diktat but, rather, a golden opportunity to finally set up a seamless, two-way data sharing environment between you and your customers. Pre-GDPR, most guests are already used to handing over their data online provided they get some better service but hotels have been slow to do the same in the offline world of the reception desk. Being able to take advantage of this will result in you becoming a leader guest data management and you can do this with a few easy steps:

First, start assembling your team and become a student of the regulations by reading blogs like ours or watching comprehensive primers like this:



Then review your data collection policies - how many data points do you have that are relics of an old software setup? What kind of information are you collecting for marketing? Is it useful information? What kind of information are you willing to share with third parties and what are those third parties doing with the data that you collect from guests (are any of them nefarious and earning money from the provision of this data, for example)?


Data nightmares - a standard PMS vs a dynamic cloud-based PMS


Another way to look at this is to try and figure out what data would be reasonable for customers to give and how that data could make your hotel better. In other words, getting to know your customer better. Would they like additional services? Would they like a special way of being treated? Remember what we said in Change your mindset above: “Instead of asking for information for the sake of it, frame the requirement for any customer data point as dependent on some value you can offer them for that information.”

Ask yourself what data can you get rid of from your system now? Extra data means more data obligations so start deleting unnecessary fields now. The more you delete now the easier you can build a GDPR strategy for the big day. So, unless your local law requires it, do you really need a guest’s mother’s maiden name?



Hotels in non-EU countries will need to have picked an EU-based representative that can contact the relevant authorities in the country of their choice. Remember, the language you use at your hotel should guide your decision.

Start looking at online or outsourced tools to help prepare. Many of the more tedious tasks can be done for you by third-party individuals and vendors. If your hotel is big enough then you may need a Compliance Support Framework and there are companies that can do this for you.

You will also want to hire someone to penetrate your own security systems to test it out. It’s called an Automated Penetration Testing Framework and there are companies that do it for you. Setting up Incident Management tools so that, if a breach happens, you are prepared and can stay within that 72 hour deadline.

You also will need forensic help. Gone will be the days that, when a breach happens, you just have to close it. You will now also need to be able to find out what exactly happened and who saw what, instead of simply shutting off the breach.

And what is Mews doing to comply with the GDPR law?

Today, we already send every guest an e-mail the moment their profile is created in the Mews platform and give them access to update and maintain their personal data.

We strongly believe customers should be able to control their own data and actually use that process to enhance their guest experience. If the customer feels empowered and appreciates that the sharing of their data will only improve the personalisation from the hotel then, ultimately, their trip is only going to get better. This is the rationale behind our navigator platform and making it as easy as possible for guests to interact with.

But we want to go further so, apart from reviewing our internal processes and seeing how we can further protect client data and improve user-rights, we are extending our Navigator platform so that we can give guests full control of their data. Guests will be able to login to the Navigator platform and see all the personal information that they have stored at your property and to which integration partners this was distributed. We will even include an option to delete that data from Mews and any of those integration partners with just one click. Furthermore, all of this data can be visualised and edited by your staff within the Commander.

We are also excited to be working on a new software release that will make GDPR compliance a cinch as a single guest’s data will no longer be scattered across multiple profiles that were created by different receptionists each time they returned, as is too often the case at hotels. So stay tuned...

In conclusion

The big winners will be those who can create the best possible digital user experience while presenting all the new compliant information as transparently as possible.The bad news is that, to comply, the path of least resistance is an arduous one. Privacy policies and disclaimers will need to be revised. Many website flows will need to be examined and modified. Your database architecture may also need examination and modification.

So try harness your existing systems to do the heavy lifting by using workarounds or go for a unified approach to data transparency by using a platform like Mews. Using a cloud-based platform that is dynamic and flexible will allow you to tick many of the boxes required by GDPR.

Beyond tweaking your current PMS, you should put a data audit procedure in place using your internal resources or external experts. We believe GDPR is a blessing in disguise as it will serve to bring you closer to your guests’ needs and enable you to profile and segment them better. In short, it may be the impetus you need to finally becoming a data-driven hotel.


Mews Careers Want to work at the coolest company in hospitality tech? Come join our team!   APPLY HERE