Preparing your hotel for GDPR

The tools you need to help you prepare for GDPR

At Cendyn we’ve been working hard to ensure that we are prepared for the upcoming General Data Protection Regulation (GDPR) legislation, and in turn, ensure you are prepared too. To help keep you up to date with this, we’ve outlined how hoteliers can use the tools that Cendyn CRM Suite provides to ensure EU individuals’ data is being processed in a compliant and transparent way.

Quick GDPR recap:

The General Data Protection Regulation (GDPR) is comprehensive legislation designed to harmonize data protection law across the European Union (EU). It imposes new regulations for organizations who engage with individuals in the EU, expands individuals’ rights with respect to the processing of their personal data and mandates data security measures appropriate to the risk of processing personal data. It also includes tougher enforcement for violations of the rules. GDPR comes into effect on May 25, 2018. As a reminder, even if your hotel is located outside of the EU this legislation still applies as it covers entities that collect data of EU citizens, regardless of a physical presence in the EU.

To help you prepare and set your hotel up for success after the legislation comes into force, the following should be key items on your checklist to understand and start putting in place before May 25, 2018.

Check your database for legal grounds to process data:

Hotels, as data controllers, must have a valid lawful basis to process personal data. Here are the six legal grounds for processing legal data:

  • Consent: the individual has given clear consent for you to process their personal data for a specific purpose
  • Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract
  • Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations)
  • Vital interests: the processing is necessary to protect someone’s life
  • Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law
  • Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)

How to check for legal grounds to process data:

Ask the following questions during your check:

  • Have your customer lists been imported from sources outside of your property management system (PMS)?
  • Has the customer explicitly agreed for you to process their personal data?
  • Do these individuals fall under any of the other legal grounds for consent? (as listed above)

Cendyn CRM Suite enables hoteliers to manage how hoteliers have obtained consent through a robust subscription center. For anyone in your database not covered by the legal grounds to process data, as listed above, you will need to obtain consent to contact them. Check out our detailed guide on obtaining consent from your database.

Set up your database for longevity:

To ensure your database is maintained to cover all legal grounds for consent to process data, we recommend hoteliers implement an email preference center or email sign up form. This is a perfect way for hotels to grow their database and obtain consent for those not currently covered by the legal grounds for consent. You can use Cendyn CRM Suite for the following:

  • Create an email subscription center that will entice your subscribers to receive your content
  • Enable people to sign up to information or content that reflects their interests or preferences (reminder, our guide on best practices for consent will help with this)
  • Update any forms that you have on your website to include an opt-in check box or a statement that confirms that by proceeding they are providing their consent. If you’d like to see examples of these forms or preference centers, please contact your Cendyn Account Manager
  • It’s good practice to make your privacy policy visible and accessible. We recommend adding a link to your privacy policy anywhere you provide the option for individuals to sign up. This will emphasize your commitment to transparency and accountability for how you process data

Handle individual data requests:

GDPR expands individuals’ rights in the EU with respect to the processing of their personal data and mandates data security measures appropriate to the risk of processing personal data. It provides the following rights for individuals:

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • Rights in relation to automated decision making and profiling

Cendyn CRM Suite provides hoteliers with the tools necessary to process any of these types of requests. As a data controller (hotel), it is the hotel’s responsibility to report the request with the data processor (Cendyn). The hotel can submit a request to, following receipt of that request, Cendyn will process and update the hotel on the status and completion of the request for auditing purposes.

Maintain accountability:

Cendyn is working in collaboration with the leading data privacy management company, TrustArc, to prepare all products and data systems within the Cendyn Hospitality Cloud for GDPR compliance by May 25, 2018. Cendyn has an exceptional privacy and security track record with customers’ data and has been actively preparing for GDPR since 2016. Cendyn is Privacy Shield certified, CASL and PDPA compliant, as well as PCI certified. Cendyn is also SOC II certified and currently in process to be ISO certified.

Cendyn customers can be assured that as a data processor of EU citizens’ personal data, all products in the Cendyn Hospitality Cloud will adhere to the GDPR rules by May 25, 2018. As a data processor, Cendyn is prepared to support customers in their own GDPR compliance as data controllers by:

  • Securely and confidentially storing and processing data until it is safely returned or destroyed
  • Supporting customers’ obligations as data controllers during auditing or consumer rights requests
  • Implementing necessary technical solutions such as consent mechanisms and retention of evidence
  • Providing Article 30 reporting to DPA or clients upon request

Want to know more? Take a deep dive into obtaining consent from your database using our detailed guide.


Subscribe to receive the
best hospitality technology insights


Discover how you can drive business via your most profitable channel.