What Holiday Let Owners Need to Know About GDPR

Posted by Linda Maclaughlan on 02 July 2018

Are you aware of what GDPR is and how it affects your holiday let?

Maybe you’re vaguely aware that something’s happened; after all, you’ve almost definitely noticed all of the emails flooding your inbox up to May 25th from companies needing permission to keep you on their subscriber list.

But maybe you’re thinking that this new law only applies to companies; that it couldn’t possibly have much of an impact on you.

In which case, I’m sorry to burst your bubble.

I’m actually not particularly shocked anymore at the knowledge that there are people out there who still haven’t heard of GDPR and who are, right at this moment, breaking the law.

Unfortunately, whether you’ve heard of GDPR or not, if you run a holiday let, I’m afraid this new legislation applies to you – and you could face a fine if you’re caught.

What is GDPR?

Despite having been many years in the making, GDPR actually only came into force on May 25th 2018 (yep, around the time you were getting all of those emails).

It stands for the General Data Protection Regulation, and is a new European privacy regulation which applies to all countries – and citizens – in the EU and EEA. That’s incidentally also why some American sites are now blocking views from anywhere in Europe.

Essentially, it was brought in to give individuals more power over their personal data, which has had many companies scrambling to ensure they’re fully-compliant.

However, it’s not just companies who have to comply. Whether you’re a homeowner with just a single holiday let, or are running a holiday let agency with several holiday lets on the go at once, GDPR applies to you.

Let me put it another way: Are you collecting personal data? If so, there are now some very strict rules in place about how you store, manage, use, analyse and protect the data of guests, and suppliers – and it’s your responsibility to ensure you’re compliant at all times.

What does GDPR mean for you?

Firstly, don’t panic. Some companies can be fined up to €20 million for breaking with the new legislation, however, I wouldn’t in my wildest dreams think over hefty fines are a real possibility for holiday let owners (also, everyone will receive a warning first!).

That doesn’t make you immune, though.

GDPR is really just a way to ensure that everyone handles personal data considerately and responsibly. And if you’re already doing that to an extent, this is an opportunity to embrace the changes and ensure that you’re taking the very best care with your guests’ personal information.

For example, if you have an email list – whether it’s one you’ve built up over the years or purchased – you’ll no longer be able to keep that list and use it to send out marketing emails to potential guests, unless they specifically opt in to receive those emails.

This also applies to running competitions, or getting anyone to sign up to a list – you have to be specific about what you’re going to do with their data, and the kind of emails you’re going to be sending. You also need to start storing their consent so that you can present this if questioned.

Current customers are a bit more of a grey area, but it’s probably safe to assume that if someone stayed with you more than a year ago, and they haven’t opened any of your emails for the past year, it would be a good idea to remove them.

The main thing about GDPR is ensuring your data is up-to-date, accurate and consensual (in that people have consented for you to have it – and if they haven’t, your best bet is to delete it).

Steps to becoming GDPR-compliant

I’ve put together some steps to help you get fully up-to-speed with GDPR and ensure you’re compliant for past, present and future guests.

1. Conduct a data audit

The first thing I’d recommend doing is to look at the type of data you’re storing. This could be anything from names and email addresses, to postal addresses, payment details and passport numbers.

Sort and categorise this data, and determine if you actually need to store it. Carefully consider how you’re using it, and review how you store it. You should also review your security procedures and who else has access to this data – as well as why.

2. Run an email re-permissioning campaign

As I mentioned above, it’s vital to start storing the consent of those who are on your email list. This applies whether you’re storing the consent of new subscribers, or ones who signed up to your list five years ago.

Which means you’re going to have to send out one of those re-permissioning campaigns that everyone else was sending out last month. Sorry!

3. Ensure you’re compliant with individuals’ rights

GDPR has been very specific when it comes to the rights of individuals and how their data is handled and processed. Therefore, you have to ensure that your processes are in line with the rights outlined below.

These rights are:

  • The right to access
  • The right to be forgotten
  • The right to data portability
  • The right to be informed
  • The right to have information corrected
  • The right to restrict processing
  • The right to object
  • The right to be notified

For the full low-down on what these rights actually mean, check out this blog post by Stargazer Digital.

4. Draft up a privacy policy

It’s absolutely essential to display a privacy policy for anyone who is thinking of submitting their personal details – whether they’re interested in becoming a guest, signing up for emails, or any other reason, this should be displayed prominently online.

I’ve put together a checklist that should help you out when drafting up your GDPR privacy policy, as not everyone knows where to start. Hopefully this will help!

5. Plan how you’ll handle data requests

You may be asked by an individual to update, delete, or send a copy of the data you have stored on them (as it is their right to do so).

You should have a process in place for how you will handle these requests within the relevant timescale – now one month rather than the previous 40 days.

6. Determine how you’ll deal with data breaches

Despite our best efforts, data breaches can and do happen. But aside from taking all the standard precautions, it’s how you deal with them once they occur that really matters.

Start putting together a plan to pinpoint exactly how you’ll deal with breaches in data. These procedures should include detecting, reporting and investigating data breaches.

7. Check your lead data protection supervisory authority  

If you’re operating in more than one EU member state (for instance, if you have a holiday let in the UK and one in France), it’s important to find out who your lead data protection supervisory authority is.

For more help and guidance, check out Article 29 Working Party which has really broken things down and made GDPR guidelines much easier to understand.

8. Check out ICO’s code of practice

If you’re looking to read up on more GDPR advice from a good, reliable source, the Information Commission Office’s website has plenty of great resources that should help. This is the no.1 source I’ve been paying attention to when becoming GDPR-compliant, myself.

Key GDPR resources to keep bookmarked


If you’re not GDPR-compliant yet, don’t worry too much – I’m sure you’re not the only one! The best way to look at it is to treat this as an opportunity to become better at dealing with your guests’ personal data and safeguard your holiday let as a business.

Work your way through the steps above, and don’t forget to check out the GDPR privacy policy checklist I’ve put together to hopefully make things a bit easier for you.

Got any specific questions about GDPR for holiday lets? Leave me a comment below. I’d love to hear from you, and I’ll try my best to help!