If you hold personal data relating to your guests, you could fall foul of the law if you're not registered to do so. Alex Meloy explains
Hotels collect a large amount of personal data in relation to their guests, which they use to make bookings, take payments and send marketing messages to those guests.
Personal data is essentially any information about an individual that can be used to identify them, whether on its own or in combination with other information.
Depending on the extent of the data processing undertaken, a hotel may be required to register as a data controller (essentially, the custodian of the data) with the Information Commissioner's Office (ICO). However, there is a tendency for hotels to rely on guidance put out by industry bodies with regards to the obligation to register. While the guidance is well intended, there is often a failure to understand that nuances in individual practices can have a significant effect on the need to register.
UK data protection law is contained primarily in the Data Protection Act 1998 and the Privacy and Electronic Communications (EC Directive) Regulations 2003.
The act requires all data controllers to register with the ICO unless exempt. Failure to do so is a criminal offence. The ICO also has the power to issue fines of up to £500,000 and to take other enforcement action.
Whether you need to register depends on numerous factors; there is no one size fits all.
- Staff administration
- Advertising, marketing and public relations
- Accounts and record keeping essential for the operation of the business (such as processing a customer's billing information).
If processing is limited to these activities, then registration may not be necessary. However, conditions apply. For example, the exemptions don't apply if personal data is kept for longer than necessary or is disclosed without consent to third parties not involved in the specified processing activity.
Furthermore, there's no exemption if a business is marketing someone else's goods and services or selling customer lists to third parties, or if it engages credit reference agencies to credit check customers who are individuals.
Luckily, there is a useful rule of thumb that is particularly relevant to hotel businesses. If a hotel uses CCTV on site for crime prevention purposes (whether in the hotel itself or perhaps in the car park), then registration is mandatory. Given the ubiquity of CCTV in today's world, and particularly in the hotel business, the answer is almost certainly going to be yes. However, it's a question that is often overlooked, so it's important to keep it in mind.
- Is CCTV used on site for crime prevention purposes? If so, register.
- If not, is processing limited to core business purposes? If so, do any of the processing activities disapply the exemption? If so, register.
- If in doubt, register - it's straightforward and relatively inexpensive.
It is a criminal offence not to register when required to do so. There's also the possibility of bad publicity, which can affect the trust that customers place in your business.
When deciding whether to register, you should take the time to review your data protection practices generally. Registration is the beginning of compliance, not the end. With the new General Data Protection Regulation bringing in a stricter regime from mid-2018, it makes sense to get your house (or hotel) in order now.
Alex Meloy is an associate solicitor in the intellectual property and commercial team at London law firm Howard Kennedy LLP