5 GDPR Myths Debunked For Hoteliers

In 2018 the General Data Protection Regulation (GDPR) was introduced, and, if your business stores personal data (which, let’s be honest, most do these days), you need to comply - or risk heavy fines. If you’ve never heard of the GDPR before, this blog isn’t intended to give you the full rundown, because the internet is awash with descriptions of the new legislation (check out the link above for the official detail). Instead, we’ve decided to gather five of the most common myths about GDPR compliance and debunk them, because there’s clearly still a great deal of confusion over the replacement for the Data Protection Act 1998.

Myth 1: The GDPR is all about personally identifiable data only

The GDPR isn’t solely focused on protecting data that is obviously related to individuals (i.e. their name, address or date of birth).

The legislation also applies to information such as IP addresses and cookie tracking, and this is because the advertising sector no longer treats data of that ilk as anonymous.

Myth 2: Erm… Brexit’s happening, innit?

The fact that the UK is leaving the EU has absolutely zero impact on your business’s requirements to be GDPR compliant.

Firstly, the enforcement of the GDPR took place well before the proposed Brexit date, and even when the UK does leave the EU, businesses within this country will still need to comply due to the fact that the GDPR applies to the personal data of all EU residents.

Therefore, any guests you have from EU member states, or data stored about EU nationals living within the UK, will be subject to the new rules and regulations.

Sorry - you can’t use the Brexit card here.

Myth 3: The GDPR only applies to new data we collect

Nope. Sorry.

The GDPR applies to all personal data you store and process, no matter when it was collected.

Myth 4: My hotel booking system provider has sole responsibility to remain GDPR compliant - not us

You’re quite right in assuming that the hotel booking system provider needs to be fully GDPR compliant, but there’s a fair bit you’ll need to do, too.

Your hotel will collect and interact with data in a variety of ways, therefore every touchpoint needs to be accounted for, and they won’t all be linked to the hotel booking system.

Equally, even if you’re not physically storing the data yourselves, you’ll still be considered a data controller, and therefore subject to the GDPR’s rules.

Myth 5: The fines are the biggest threat

There’s no escaping the fact that fines of 4% of revenue or £17 million are potentially business-killers, but they should be relatively rare in the UK.

The Information Commissioner’s Office (ICO) has stated that it prefers “the carrot to the stick”, and it’s likely they’ll focus more heavily on companies that flout the laws or fail to notify them when a data breach has taken place.

So, the fines are a threat, but they’re not necessarily the biggest. If you’re hit by a data breach and your lack of GDPR compliance results in serious problems for your customers, the PR consequences could be far worse.

Wrapping up

There’s no escaping GDPR, but, equally, no reason to panic. Use our tips above to remain compliant, and don't be afraid to call in professional help if you think you need it.


Welcome Anywhere has over 30 years of experience in helping independent hoteliers deliver guests an unforgettable experience with its simple property management system that controls your daily activities. The best part -  it’s all cloud hosted! We develop scalable solutions for your property such as PMS, a Booking Engine and Channel Manager. Our team has a wealth of experience in the hospitality industry and we serve you to better serve your guests.

Call us today at + 44 (0) 33 0100 1090, or email us at sales@welcomeanywhere.com. We will be happy to walk you through Welcome Anywhere’s all-in-one solution for your property management needs.