GDPR and Consent Requirements


The EU GDPR (General Data Protection Regulation) takes effect in May and organizations that collect and store data on consumers are making the last changes for compliance. We’ve already touched on general compliance and the definition of data for this regulation, so today I want to talk about consent.

Strict consent standards are going to be a key portion of the GDPR. No longer allowed to be buried in Terms and Conditions, protected citizens must now see and consent to a plain-language, full-disclosure of the following:

  • What data is being collected
  • Who is collecting the data
  • The purpose for collection
  • How long data will be stored

Persons will have the right to withdraw this consent at any time and to access, correct, or delete any of their personal data, and companies collecting and/or processing data must provide the means and instructions for people to do so.

Further, parental consent may be needed for minors, and sensitive personal data (which includes information such as biometric data or personal preferences/beliefs) will require explicit consent. For more information about how this regulation affects hospitality, please see our other posts in this series:

  1. What is GDPR and What does it Mean for Hotels?
  2. GDPR Requirements and Data Description