Legal requirements for tourism businesses

Data protection in tourism businesses


All serviced and self-catering accommodation premises must keep a record of all guests over the age of 16. The record should include full name and nationality. See keeping a guest register in your tourist accommodation business.

When keeping a guest register, even if it's just names and contact details, you must protect your guests' privacy under the Data Protection Act 2018. The Act regulates how personal information is used, and requires businesses to comply with eight rules good information handling. It also requires some businesses to tell the Information Commissioner Office (ICO) what they use personal information for.

The General Data Protection Regulation (GDPR) came into force on 25 May 2018. It replaces the 1998 Data Protection Act and introduces new rules on processing and safeguarding personal data. 

Data security and credit cards

If you handle customer's credit/debit card number, you must follow the standards of the Payment Card Industry Security Standards Council. The standard is applicable to any organisation that stores, transmits or processes cardholder information.

Find out how to protect your customers and achieve the Payment Card Industry Data Security Standard (PCI DSS) compliance; See accepting online payments.