21 February 2018


GDPR is already in place and has been in force since 2016.

However, it has not been enforced so far. That will start happening from 25th May 2018. GDPR, in a nutshell, brings greater accountability, transparency and rights to how you handle personal data processing. It also brings a significant increase in the size of monetary fines.

The Federation has tried to summarise the new legislation but this is not legal advice. You should seek your own answers and come to your own conclusions. Start with the "12 steps to take now" document attached below.

Ok, here we go... 

It is important to note that GDPR only applies to personal data - if you leave your company accounts on the seat of your local Ulsterbus, it is unlikely you've done anything wrong in the eyes of GDPR.*

Personal Data is anything that can identify a person - name, home address, passport number, credit card number, date of birth, IP address, etc. A name or a date of birth won't necessarily uniquely identify someone unless they are linked together. Sensitive Personal Data (or Special Categories of Personal Data) is religious beliefs, sexual orientation, health, etc. You need to be even more careful with this type of data.

Processing is everything you do with the personal data you collect as a business. This can be on a computer or just on a piece of paper. Simply recording a restaurant booking is data processing. And, don't forget all the information you hold on employees.

Now we get to Data Controller and Data Processor. Simply put, you are a data controller. You determine how data is processed. A data processor might be your payroll provider or your credit card merchant. They only process data on behalf of you. But, a hotel is definitely a data controller.

Now that we have established the basics - you are a data controller that handles personal data - what are the basic principles of data protection? There are lots of principles but we'll not go into detail here. In summary, personal data must be processed fairly, it must be collected for legitimate purposes, it must be accurate, you shouldn't keep it for longer than necessary and you should ensure it is securely managed.

So, processing of personal data is only lawful if it is permitted under EU data protection law. You must have a legal basis for processing and you must be able to identify in advance that basis. Here are the six legal bases available.

  1. Consent
  2. Necessary for a Contract
  3. Legal Obligations
  4. Vital Interests
  5. Public Interest
  6. Legitimate Interests 

Now, there has been a lot of confusion around consent. Some have said that you can't handle any customer data unless you have specific consent from every customer. This is not correct. Consent is only one of the legal bases available. In reality, you would very rarely ever rely on consent.

If a customer books a room with you, you will hold their data based on points 2 and/or 6 in the above list. It is either necessary for a Contract and/or you have a Legitimate Interest (ie. ordinary honest business practices). You do not need the customer's consent as it would be impossible to process that customers room booking if they withdrew consent.

Regardless of consent, however, a data subject has certain rights. These include access to the information you hold on them and the right to ask to be forgotten. But, just because someone has the right to ask for their data to be erased, it doesn't mean you have to comply. Your company policy might be to retain all booking records for 6 years for tax and legal purposes. In that case, you can refuse to erase a person's data (assuming you meet the other GDPR requirements). 

Now we get to data breaches. This is how things can go wrong. You might have everything set up correctly, you are processing data appropriately and all your policies are in place. Then, the laptop with your marketing database is stolen from a manager's car or a disgruntled employee puts all of last year's customers on a memory stick or the HR filing cabinet is left open. This is how you end up with a big fine, reputational damage, job losses and more.

This is an area that needs a lot more thought and detail but training your staff on data protection principles would be a good first step. You'll also need to have data processing agreements with any external companies, audit your data handling practices and generally sharpen up what personal data you collect and what you do with it.

Finally, debunking some myths!

  • No, you don't need to delete your entire database.
  • You don't need to contact everyone on your marketing mailing list to get their consent.
  • You do need a privacy statement on your website and at other points of contact.
  • You don't need to stop writing down credit card numbers but you do need a very robust method of keeping them secure and destroying them as soon as possible.

Above all, the less personal data you collect, the less you have to worry about processing it. Do you really need to know someones car registration, gender, marital status, etc?

So, GDPR does require some thought and a few actions. At the very least, a senior manager in your company should take a training course to understand more. But, in the same way that food hygiene and fire safety aren't just the responsibility of one person, so GDPR should be considered by all staff.

Call us for more advice on 028 9077 6635. 

* As long as your company accounts don't contain employee or other personal data. Your Board or manager may not be quite as lenient as the Information Commissioner! 


Book a hotel

Find a list of hotels.

Read more

Say Hello to More

Spring Marketing Campaign.

Read more

Hospitality Exchange

See all the photos of the event.

Read more