service icon


GDPR and hospitality – are you still risking a massive fine? Our free guide will help

Home Our Blog Hospitality GDPR and hospitality – are you still risking a massive fine? Our free guide will help
Hospitality businesses, GDPR and hospitality – are you still risking a massive fine? Our free guide will help, NFS Technology

What do Google, Dixons, Marriott, Fifa, Uber, Quora and Facebook have in common? On the face of it not much – but they’re just few of the famous organisations which have fallen foul of serious data breaches since GDPR came into force in May 2018.

And with many other organisations still struggling to get to grips with the data legislation, is there something hospitality businesses need to learn from their experience?

The Cambridge Analytica scandal may have caused Facebook some serious reputational damage and some tricky scrutiny, but it is now apparent that the regulations are hitting companies where it hurts most – their wallets.

The most recent and largest recipient of a GDPR-related fine is Google, hit with a £44m fine by France’s CNIL data watchdog.

Although this seems a lot, given that the maximum fine is 4% of global turnover it is a relative bargain compared to the £3 billion it could have been. It remains to be seen what the long-term effects on Google’s reputation could be.

What did they do wrong? They did not meet GDPR’ transparency requirements, and didn’t prove a lawful basis for processing the data.

Why this matters to you

If you’re complacent, you could argue that the authorities are only going after the big boys – you can’t get bigger than Google or Facebook – but don’t fall into this trap.

While these cases are high profile, it would be dangerous to assume that the regulatory authorities are not prosecuting smaller companies.

The Information Commissioner’s Office (ICO), which enforces GDPR and the pre-existing data protection laws in the UK, has prosecuted 180 organisations in the last two years.

Predictably, some of these companies and individuals were actively involved in shady practices such cold-calling or email spamming millions of people.

However, many who were prosecuted were simply negligent in their processes of storing and processing data. The list of enforcement actions makes sobering reading as it includes organisations that should really know better.

Download Brochure

What this means for the hospitality industry

The hospitality industry is not immune to the impact of GDPR. Your restaurant management software or PMS may be storing gigabytes of old data such as booking data, enquiries for weddings or brochure requests.

You may not be holding as much data as Marriott but the law does not differentiate on the size of the database that has been breached or who is breaching it. The ICO have successfully prosecuted individuals for much smaller infractions.

In fact, a recent survey found that in the two months following the introduction of GDPR, 45% of hospitality businesses neglected to wipe IT equipment before disposing of it.

The research, which surveyed 1,002 UK workers, also found that 97% of hospitality businesses did not have an official process for disposing of obsolete IT equipment, with the same percentage saying they would not know who to approach within their company to do so.

Hospitality – among the most guilty industries

IT service provider Probrand group, which commissioned the survey, named the hospitality sector as one of the “most guilty industries” alongside transportation, sales and marketing, manufacturing, utilities and retail.

For an industry built, literally, on customer service a breach could not only hurt your turnover it can also damage your reputation as well as meaning that your once-loyal customers will no longer trust you with their personal data which can have a longer-term impact on your future marketing efforts.

It’s not just hard drives containing personal data that you need to be wary of. In fact, you may be ultra-stringent in your data cleaning processes and have security down to a “T” yet still get caught out.

How? A little-known fact that can catch the unsuspecting is that as an organisation processing data you need to pay a registration fee to the ICO or face a fine of up to £4350.

We recommend you do at least the following:

  • > Get customer consent for all data
  • > Appoint someone to act as a Data Protection Officer
  • > Perform a Data Protection Impact Assessment
  • > Remember to document data breaches
  • > Respect the right to be forgotten


We can help

As providers of leading restaurant management software and hotel management software we have a wealth of experience (see our case studies) helping our clients get the most out of their data safely.

So if you need to get up to speed on GDPR we’re happy to offer our help and guidance on best practices.

* Check out our dedicated resources to find out more – DOWNLOAD our Easy Guide to Being GDPR Compliant now!

* See how restaurant management software and hotel management software can boost your business.

Luis De Souza
Luis De Souza Chief Executive Officer Posted on: January 31, 2019
United Kingdom USA South Africa Ireland Asia
Copyright © 2024. NFS Technology
Almost there! Please complete this form and click the button below to download. We hate SPAM and promise to keep your email address safe.


    Would you like to learn more about any of our products? We would love to hear from you. Enter your details below and one of the team will be in touch with you shortly.