The importance of GDPR and Privacy Compliance in the Hospitality Industry

The importance of GDPR and Privacy Compliance in the Hospitality Industry

For so many hospitality venues, the collection and storage of data is fundamental to the way they operate. It can help venues reach customers via marketing and promotional campaigns, and can inform them with critical context when making decisions.

But, if the data provided by patrons is mishandled, passed on to third parties, or not used in the manner that was outlined to customers, it may damage relationships, and tarnish the venue’s reputation. 

Legislation like the General Data Protection Regulation (GDPR) – as well as certain policies undertaken by venues – may help to protect customer data and privacy. This article will provide a brief overview as to what GDPR is, and why and how venues should be proactive in preserving customer data and privacy.

1) What is GDPR

According to, the General Data Protection Regulation (GDPR) is “the toughest privacy and security law in the world [that] imposes obligations onto organisations anywhere, so long as they target or collect data related to people in the EU [European Union].” provides a simple interpretation of seven of the key principles in the legislation, while quotes the EU as saying that

“The GDPR was designed to “harmonise” data privacy laws across all of its member countries as well as providing greater protection and rights to individuals. GDPR was also created to alter how businesses and other organisations can handle the information of those that interact with them.”

The legislation can affect Australian businesses if they are processing data relating to a citizen of the EU, with the maximum penalty for non-compliance up to “$30 million, or four per cent of a firm’s global turnover (whichever is greater).” There are other data privacy laws around the world, such as the Privacy Act 1988.

2) Data accessibility

Using ResDiary reports, venues are presented with a wide range of data. This includes customer lists, the number and type of bookings, customer spends, feedback reports, the response to promotions and so on. This data can provide important benchmarks, and offer relevant information which can help key staff members make important decisions.

However, if data being provided to venues is used in a way that is unscrupulous and not in good faith, customers will feel betrayed. As a result, they may withdraw access to their data, and not attend the venue in the future. Therefore, privacy legislation, and internal policies to protect data, should provide customers with more confidence in providing personal information in the future. 

3) Marketing communication in hospitality

According to a recent McKinsey survey, no industry received over 50 per cent of customer trust regarding their handling of privacy and data. Moreover, individuals are more likely to trust companies if they respond quickly to breaches, and only ask for information that is relevant to their product. There’s currently a lack of trust from customers regarding the way that organisations handle and use data that is provided to them in good faith.

If the venue clearly and openly communicates with customers why they are collecting data, how they are going to protect it, and how it will benefit customers down the line, it should lead to more informed decisions being made by customers, as to the information they are choosing to provide. In turn, customers might be more inclined to pass on more comprehensive and accurate information, which will hopefully benefit both them, and the venue

4) New systems for protecting data

The consequences for breaching GDPR have the potential to be substantial. This may act as a catalyst for venues to treat their customers’ data with care, and ensure that policies and procedures are established so as to ensure that the data won’t be mishandled or abused.

These policies might typically include relevant disclosures, and terms & conditions regarding the collecting and handling of customer information. It might also involve staff and management training so they are up to date with IT security and privacy policies.

Having protocols in place should help to ensure that the venue operates in accordance with relevant legislation, and also ensure that trusting relationships with customers are preserved and maintained. 

There’s an implied contract that is established between customers and dining establishments in relation to the data that is provided. Customers may hand over certain pieces of information – before or after their booking –  but that is on the condition that it is only used in a specific capacity (and that capacity is clearly outlined by the venue). 

Venues should make sure that they hold up their end, because the consequences of improperly handling customer data may be steep and – if exploited – customers may not return. 

ResDiary is fully GDPR compliant while giving you ownership of your database. Find out how our table management system can work for your venue at your own demo.   


Disclaimer: This guide is general in nature and does not take into account your individual circumstances. Before acting on any information, you should consider whether this is right for your business.