Data protection and CCTV for hospitality businesses

Data protection in hospitality

Hospitality businesses collect and process significant amounts of personal data: guest names and contact details, payment card information, CCTV footage, wifi login data, loyalty programme records, and staff records. All of this is regulated by the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

The Information Commissioner's Office (ICO) is the regulator. Breaches of UK GDPR can result in fines of up to £17.5 million or 4% of annual global turnover, whichever is higher. Even for small businesses, the ICO can issue enforcement notices, reprimands, and fines proportionate to the breach.

Most hospitality businesses that process personal data must register with the ICO and pay an annual data protection fee. The fee depends on your organisation size and turnover: from 17 February 2025 the tiers are £52 per year for micro organisations (tier 1), £78 for SMEs (tier 2), and £3,763 for large organisations (tier 3).

CCTV in your premises

CCTV is widely used in hospitality for security, theft prevention, and protecting staff. However, CCTV captures personal data (images of identifiable individuals) and must comply with UK GDPR and the ICO's CCTV code of practice.

Signage requirements

You must display clear, prominent signs informing people that CCTV is in operation. Signs should state who is responsible for the system, the purpose of recording, and contact details for anyone wishing to request access to footage of themselves.

Data Protection Impact Assessment

Before installing CCTV or significantly changing your system, carry out a Data Protection Impact Assessment (DPIA). This assesses whether CCTV is necessary and proportionate, identifies privacy risks, and documents the measures you will take to mitigate them. A DPIA is mandatory where surveillance is systematic and on a large scale.

Retention

Keep CCTV footage only as long as necessary for its stated purpose. For most hospitality premises, a retention period of 30 days is appropriate unless footage is needed for an ongoing investigation or legal proceedings. Set your system to overwrite automatically after the retention period expires.

Subject access requests for footage

Anyone captured on your CCTV can submit a subject access request (SAR) to obtain a copy of the footage. You must respond within one calendar month. You must blur or redact other individuals visible in the footage before providing it, unless doing so would be disproportionate.

Guest and booking data

When guests book accommodation, tables, or events, you collect personal data including names, email addresses, phone numbers, payment details, and potentially dietary requirements or accessibility needs.

Key requirements:

• Lawful basis: For bookings, your lawful basis is typically contract (the data is necessary to fulfil the booking). You do not need separate consent for data needed to provide the service
• Data minimisation: Only collect what you genuinely need. Do not ask for information that is not necessary for the booking
• Privacy notice: Provide a clear privacy notice at the point of data collection explaining what data you collect, why, how long you keep it, and who you share it with. This can be on your website booking page, at reception, or on booking confirmation emails
• Retention: Keep booking data only as long as necessary. Financial records may need to be kept for 6 years for tax purposes, but general booking data should be deleted sooner
• Payment data: If you store payment card details, you must comply with the Payment Card Industry Data Security Standard (PCI DSS). Many small businesses avoid this by using payment processors that handle card data on their behalf

Marketing and loyalty programmes

The Privacy and Electronic Communications Regulations 2003 (PECR) set specific rules for electronic marketing. These apply alongside UK GDPR.

Marketing emails and texts

• Existing customers (soft opt-in): You can send marketing to existing customers about similar products and services without explicit consent, provided you gave them the opportunity to opt out when you first collected their details, and you include an unsubscribe option in every message
• New contacts: You need explicit, freely given consent before sending marketing emails or texts. Pre-ticked boxes do not count as valid consent
• Unsubscribe mechanism: Every marketing email and text must include a simple way to opt out. Process unsubscribe requests promptly

Loyalty programmes

If you operate a loyalty card or points scheme, you are processing personal data. Ensure your privacy notice covers the loyalty programme, explain what data you collect and how it is used, and give members the ability to request deletion of their data. If you use loyalty data for profiling or targeted marketing, this may require a DPIA.

Guest wifi

If you offer guest wifi that requires login details (email address, social media login), you are collecting personal data. Ensure a privacy notice is displayed during the login process. Do not use wifi login data for marketing without appropriate consent under PECR.

Responding to data requests

Individuals have rights under UK GDPR that you must respect:

Subject access requests (SARs)

Anyone can ask you for a copy of the personal data you hold about them. You must respond within one calendar month. You cannot charge a fee unless the request is manifestly unfounded or excessive. Before providing data, verify the requester's identity to avoid disclosing data to the wrong person.

Right to erasure

Individuals can ask you to delete their personal data. You must comply unless you have a legitimate reason to keep it (such as legal obligations to retain financial records). Respond within one month.

Right to rectification

If someone tells you their data is inaccurate, you must correct it within one month.

Data portability

Where data was collected based on consent or contract and processed automatically, individuals can request their data in a commonly used, machine-readable format.