UK Data Protection

UK Hotel Data Protection: UK GDPR, DPA 2018, ICO Enforcement & Post-Brexit Compliance

Updated: February 2026UK GDPR • DPA 2018 • ICO Enforcement • PECR • UK IDTA • Online Safety Act

£18.4M

Marriott ICO fine under UK GDPR — largest hospitality enforcement action globally

£17.5M

Maximum ICO fine — higher of £17.5M or 4% global turnover (UK GDPR)

30 days

UK GDPR data subject request response deadline (versus EU GDPR's 30 days)

Post-Brexit

UK GDPR + DPA 2018 apply independently from EU GDPR since January 2021

UK GDPR / DPA 2018 HOTEL RISK:Following Brexit, the UK operates its own data protection regime: UK GDPR (retained EU law, as amended) plus the Data Protection Act 2018. The ICO enforces against UK hotels and international hotels processing UK guest data. The ICO's direct enforcement priority areas for 2024-2025 include: AI and automated decision-making; data broker practices; and large-scale breach responses. The ICO's 2022 hotel sector audit found widespread non-compliance with Subject Access Request (SAR) response timescales, CCTV retention policies, and processor agreement requirements.

Section 1

UK Data Protection: Post-Brexit Hotel Compliance

UK ENFORCEMENT — ICO Hotel Investigation & Marriott Fine (2020)

Authority

Information Commissioner's Office (ICO)

Hotel Fine

Marriott International — £18.4M (October 2020)

Basis

UK GDPR Arts. 5, 25, 32 (transitional application)

ICO Power

Compulsory information notices, assessment notices, enforcement notices

Since January 2021, the UK operates UK GDPR (the retained version of EU GDPR as amended by the Data Protection Act 2018 and subsequent UK legislation) independently of the EU framework. While UK GDPR largely mirrors EU GDPR, there are important differences for hotels: the UK has its own ICO enforcement; post-Brexit data transfers between EU and UK require adequacy reliance (UK has EU adequacy); transfers from UK to non-adequate countries use UK International Data Transfer Agreements (IDTAs) rather than EU SCCs; and the Online Safety Act 2023 adds new obligations for hotel websites with user-generated content features.

UK GDPR / DPA 2018 — Parallel Regime

Since January 2021, hotels need two compliance frameworks for EU guests (EU GDPR) and UK guests (UK GDPR). Dual establishment may require both an EU representative (Art. 27) and UK compliance under DPA 2018 s.207.

ICO SAR Response Requirements

Subject Access Requests from UK guests must be responded to within 30 days (extendable by 2 months for complex requests). The ICO's 2022 audit found that 45% of hospitality businesses failed to meet the 30-day deadline.

UK-EU Data Transfers Post-Brexit

The UK has EU adequacy status (adopted June 2021, valid to June 2025, subject to renewal). EU hotels transferring guest data to UK processors can rely on this — but hotels transferring UK guest data to non-adequate countries must use UK IDTAs (not EU SCCs).

Section 2

UK Data Protection Framework for Hotels

UK GDPR vs EU GDPR — Key Differences for Hotels

While largely equivalent, key differences include: (1) ICO (not EDPB) issues UK-specific guidance; (2) UK uses International Data Transfer Agreements (IDTAs) and UK Addendum to EU SCCs for non-adequate country transfers; (3) UK has its own adequacy regime — only recognising a limited list of countries; (4) The UK's Data Protection and Digital Information Act (DPDIB, under parliamentary consideration 2024) may amend legitimate interest requirements and DPO obligations; (5) ICO fines: up to £17.5M or 4% global turnover.

DPA 2018 Special Category Data in Hotel Context

The Data Protection Act 2018 Schedule 1 provides additional processing conditions for special category data in UK law. For hotels, relevant conditions include: Schedule 1 Part 1 para 1 (employment, social security) for staff health data; Schedule 1 Part 2 para 18 (safeguarding of children and individuals at risk) for duty of care situations; and the 'substantial public interest' conditions. Hotels with medical emergency procedures must document their legal basis for processing health data under Schedule 1.

Online Safety Act 2023 — Hotel Website Obligations

The Online Safety Act 2023 (OSA) applies to UK-based and internationally accessible user-to-user services and search services. Hotel websites with review functions, community forums, or user-generated content features may qualify as 'Category 2' services under the OSA, requiring: illegal content risk assessments; content moderation systems; and transparency reporting. Ofcom enforces the OSA with penalties up to £18M or 10% of qualifying worldwide revenue.

PECR — Marketing Communications to UK Hotel Guests

The Privacy and Electronic Communications Regulations 2003 (PECR), enforced by the ICO, require opt-in consent for marketing emails and texts to UK consumers. The 'soft opt-in' exception allows hotels to market similar services to existing customers without consent if the customer was informed at the time of data collection and given an easy opt-out. The ICO's direct marketing guidance (2023) specifically covers hotel loyalty email programmes and post-stay marketing communications.

UK ADEQUACY REVIEW 2025:The EU-UK adequacy decision expires in June 2025. While renewal is expected, hotels transferring data between UK and EU properties must monitor adequacy status. If adequacy lapses, SCCs (EU standard) would be required for EU-to-UK transfers, and UK IDTAs for UK-to-EU transfers — significantly increasing contractual overhead for multi-national hotel groups.

Section 3

How Claire Supports UK Data Protection Compliance

Claire UK Data Protection Capabilities

✓

UK GDPR ROPA Builder: Generates UK-specific Records of Processing Activities under DPA 2018; documents DPA Schedule 1 conditions for special category data processing.

✓

IDTA/SCC Transfer Manager: Manages UK IDTA and EU SCC status for cross-border data transfers; tracks UK adequacy decisions; flags transfers requiring new safeguards.

✓

ICO SAR Workflow: 30-day countdown tracker for UK Subject Access Requests; automated verification steps; escalation alerts for extensions; logs responses for ICO audit trail.

✓

PECR Consent Manager: Tracks soft opt-in qualification for hotel marketing; manages consent records for non-exempt communications; monitors ICO direct marketing guidance.

✓

DPA 2018 Schedule 1 Conditions: Documents legal basis for special category data including staff health, safeguarding, and disability accommodation processing under DPA 2018 conditions.

✓

UK Breach Notification: 72-hour ICO notification workflow for UK GDPR breaches; generates Article 33/34 notification documentation; tracks ICO case reference.

Section 4

UK Data Protection Hotel Compliance Checklist

UK GDPR ROPA:Maintain Records of Processing Activities under UK GDPR Article 30; separate from EU GDPR ROPA where operations overlap; DPO sign-off annually.
DPA 2018 Schedule 1 Conditions:Document Schedule 1 condition for each special category processing activity (staff health data, safeguarding, medical emergencies at property).
ICO SAR Response Procedures:30-day UK SAR response workflow; identity verification process; extension procedures for complex requests; log all requests with ICO-ready documentation.
UK IDTA for Non-Adequate Country Transfers:UK International Data Transfer Agreements in place for all UK guest data transfers to non-adequate countries (US, India, China); transfer risk assessments completed.
PECR Marketing Consent:Valid opt-in consent or soft opt-in qualification documented for all UK guest marketing communications; unsubscribe mechanism operational within 48 hours.
UK Cookie Compliance:ICO cookie consent guidance followed on hotel website; non-essential cookies require consent; preference centre operational; consent records stored.
EU-UK Adequacy Monitoring:Process to monitor EU adequacy decision status; contingency IDTAs and SCCs prepared for adequacy-gap scenario.
ICO Registration:DPA 2018 registration with ICO renewed annually; registration number displayed on hotel website privacy notice.
DPO Appointment (if required):DPO appointed if hotel conducts large-scale processing of special category data or systematic monitoring of guests; DPO contact published.
Online Safety Act Assessment:If hotel website includes user-generated content (reviews, forums), conduct OSA service category assessment; register with Ofcom if required.

Section 5

Frequently Asked Questions

How does UK GDPR differ from EU GDPR after Brexit?

UK GDPR is largely equivalent to EU GDPR but has several differences: it is enforced by the ICO (not EDPB); uses UK International Data Transfer Agreements instead of EU SCCs for non-adequate country transfers; has its own adequacy recognition list; and may be amended by the Data Protection and Digital Information Act (under parliamentary consideration). Hotels must maintain separate UK and EU compliance programmes and appoint a UK GDPR representative if based outside the UK.

What is the Marriott fine's significance for UK hotel compliance?

The ICO's £18.4M fine against Marriott (October 2020) for the Starwood data breach established that hotels must conduct thorough data security due diligence when acquiring other companies' systems. The ICO found violations of UK GDPR Articles 5(1)(f) (integrity and confidentiality), 25 (data protection by design), and 32 (appropriate technical measures). The fine was reduced from a £99M provisional notice following Marriott's cooperation and mitigation evidence — demonstrating the value of proactive compliance programmes.

Does a non-UK hotel need to comply with UK GDPR?

Yes. UK GDPR Article 3 has extraterritorial scope: it applies to controllers and processors outside the UK that process personal data of UK data subjects in connection with: offering goods or services to UK individuals; or monitoring their behaviour in the UK. Hotels outside the UK that market to UK guests, operate UK-facing booking websites, or process UK passport data at check-in must comply. They must also appoint a UK GDPR representative under Article 27 UK GDPR.

What is the ICO's soft opt-in rule for hotel marketing emails?

PECR Regulation 22 allows the 'soft opt-in' exception: a hotel can send marketing emails to existing customers without new consent if: (1) the customer's contact details were obtained during a prior transaction; (2) the marketing is for similar products/services; (3) the customer was given a clear opportunity to opt out when their details were collected and at each subsequent message. For hotels, post-stay marketing emails qualify if the guest was informed at booking and given an unsubscribe option.

Do hotel websites need to comply with the UK Online Safety Act?

UK hotel websites with user-generated content features — guest review sections, community forums, or chat functions — may be in-scope for the Online Safety Act 2023 if the service is accessible to UK users. Ofcom's categorisation framework determines obligations. Category 2 services must conduct illegal content risk assessments and have content moderation procedures. Hotels should assess OSA scope for any interactive features and register with Ofcom if required by their category.