GDPR: Where to Begin with Complying Online

Data breaches have caused embarrassment recently for Trump Hotels, the Marriott, the Sheraton, Intercontinental Group and the Wyndham. From May 2018, however, similar breaches could also cost millions in fines. The EU General Data Protection Regulation (GDPR) aims to give more power to the consumer by giving them choice and transparency with regards to how individual businesses use and store their data. GDPR regulation is firmly placing responsibility on businesses to be accountable for their data or face the consequences by implementing hefty fines of up to 4% annual turnover.

The hotel industry is one of the most susceptible to data breaches, processing and storing data from many sources; their own website, OTAs, point of sales systems, emails, faxes, phones and walk-ins. Every day hotels are generating and storing guests’ personal information and, in some cases, card transaction details.

Here at Aró Digital Strategy, we can support you to have your website and email lists prepared for the introduction of the GDPR in May 2018.

1. Cookies

Under GDPR, a cookie or identifier attributed to a device and capable of identifying an individual or treating them as unique, even without identifying them, is defined as personal data. The cookie consent form should list each cookie and provide the means for users to opt in for each cookie. It will no longer be sufficient to say ‘by using this website you consent to the use of cookies’. Users must have the option to withdraw consent at any point. Withdrawing consent should be as easy as giving consent in the first occasion and the option to withdraw should be visible.

2. Email Lists

You must be able to show where, when, and how you got opt in from everyone on your list and that they agree that you can send them mail. We recommend that if you don’t have evidence of how each person on your list subscribed, you need to ask again (before it becomes illegal to contact them) and keep the evidence. Cleaning your list also has the advantage that you are contacting people that are engaged in your brand, making it more likely they want to open emails and potentially purchase from you.

3. Privacy Policy

Produce a privacy policy that will include a cookie policy outlining how you manage your data. Publish it on your website.

By preparing and embracing a customer first online experience on your website in advance of the deadline, you will have peace of mind and avoid unnecessary fines. Of course, GDPR relates not only to the website, but also to everywhere you process and store personal information. The infographic below points out 6 things businesses should do to become compliant.


Aró are currently making sure that our booking engine and email marketing products comply with GDPR. We can advise you on how best to prepare your website and email marketing lists for the new regulation. Should you require any support, please contact your account manager or send your query to [email protected].