GDPR in the Travel, Hospitality & Leisure Sector | Deloitte Netherlands


GDPR in the Travel, Hospitality and Leisure sector

The implications of the GDPR on personal data and personalized service

The vast amount of sensitive personal data makes that the Travel, Hospitality and Leisure sector is strongly affected by the GDPR. The crux lies in offering the personalized service guests are used to in this industry whilst complying with the GDPR.

By Fleurine Mijinke and Anne van Eck - 02 July 2018

The General Data Protection Regulation (GDPR) is now applicable

More than a month ago the General Data Protection Regulation (GDPR) came into effect. Now that the GDPR is in force and the foundation of the GDPR has been laid down, it is time to look at what’s next and the benefits of the GDPR. In this article we will zoom in on the next steps for the Travel, Hospitality and Leisure sector (THL sector) and the advantages that come along with the GDPR regarding technology and personalization.

The travel & hospitality industry is one of the industries in which personal data has always played a big role. Imagine the information that is available to a five star hotel regarding a specific guest who comes to the hotel, with his or her own preferences in having, for example, a specific room and a preference for reading that specific newspaper in the morning. 

Often, the personal information regarding this guest went through the many channels receiving and providing personal data in this sector. Data is collected not only directly from guests, but also through other parties like channel managers and booking sites. High volumes of personal data from guests are processed including a large number of payment card and/or loyalty card details. Specifically, the data used in this sector can have a major impact on guests if something happens to it due to its sensitivity. 

The vast amount of (sensitive) personal data, but also that the data is constantly in transit, makes that the travel & tourism industry is strongly affected by the GDPR. The GDPR applies to the processing of personal data by:

  1. Organizations established or operating within the European Economic Area (EEA)1
  2. Organizations outside the EEA that offer goods and services to or monitor the behavior of individuals within the EEA.  So, as long as you are offering services in the EEA, the GDPR will be applicable.

Privacy email alert

Receive the latest Privacy insights.


Considering privacy in the travel, hospitality and leisure industry

There are a lot of things to consider when implementing the GDPR in your business. Maybe you have already faced clients not willing to hand over a copy of their passport. This was common practice and is now questioned citing the application of the GDPR. In the Netherlands a full copy is only allowed when the organization is legally obliged to obtain such a copy. Not only the obvious (like a copy of a passport) needs to be reflected upon with the GDPR, also the online storing of personal data requires special attention.

Research by Trustwave published in 20162 shows that the hospitality sector had the largest share of data incidents by sector. Major breaches affected many of the world’s most prominent hotel chains. Information lost in this sector can have a big impact on the guests involved. As mentioned before, it is sensitive data that is being processed. For example, certain data can provide information on whether  a guest is at home with possible consequences when such information falls into the wrong hands. Therefore, it is important to keep data from your guest in a secure manner. This is what your guests expect of you. In the end, it is not only the fines (up to 20 million or 4% of the annual turnover) that can have a big effect, but also potential reputational damage due to data breaches. 

The GDPR thus requires you to build in privacy and security from the outset. The earlier you involve privacy and security in every process, the better. Taking privacy into account from the beginning (Privacy by Design) is especially important now that technology in combination with personalization is becoming a distinguisher in the travel & hospitality industry. 

We cannot imagine travelling without mobile technology anymore or not having a boarding pass on your phone. At present, separate apps are still needed for this, but improving collaboration and interoperability can create a smoother travelling experience. This means thinking of privacy by design but also sharing data properly between travel companies or agencies. All these activities must be in line with the GDPR by, for example, having the right agreements in place between the different parties. The crux lies in offering the personalized service guests are used to in this industry whilst complying with the GDPR

Service and personalization: vital elements of travel

Values that lie close to travel, hospitality and leisure companies, e.g. service and personalization, are equally important when considering personal data. Benefits of personalization can be unlocked by knowing where the data is stored within your organization. Guest data may be stored centrally or spread across a variety of systems and even, as mentioned before, across multiple agencies. If you know, for example, where sensitive guest data is located, additional security measures can applied. Document how data flows through your company, where data is stored, where it originates from and who has access to it. 

If you know where the data is and what personal data you and others have, there is a great basis for further personalization. In this way you can gain more insight in the needs of your customer and easily adapt to what they want. Personalization can drive value your way if you have the bigger picture on how data combines.

Putting the traveler and guest first

Even though 25 May 2018 has passed, your implementation of the GDPR is probably not completed yet. 25 May was not D-day, nor a finish line, it is work in progress. During the process, try to always keep your guests involved. There is a good reason why ‘putting the customer first’ is one of the golden rules in the travel, hospitality and leisure sector. Do the same concerning their data. One of the main benefits of being GDPR compliant is gaining the trust of your guests. If you are transparent and gain their confidence, guests will be more open to conversations on guest experience and personalization. Only then you can enhance the guest experience and bring your services to the next level.


1: The GDPR applies to the European Economic Area (EEA), which includes all EU countries plus Iceland, Liechtenstein and Norway.
2: Trustwave Global Security Report 2016

More information?

For more information about GDPR, please contact Annika Sponselee or Nicole Vreeman. For more on the developments in the Travel, Hospitality and Leisure sector, please reach out to Fleurine Mijinke.