Legal requirements for tourism businesses

Data protection in tourism businesses


All serviced and self-catering accommodation premises must keep a record of all guests over the age of 16. The record should include full name and nationality. See keeping a guest register in your tourist accommodation business.

When keeping a guest register, even if it's just names and contact details, you must protect your guests' privacy under data protection law. The UK General Data Protection Regulation (UK GDPR) sets out the key principles, rights and obligations for processing of personal data. 

Data security and credit cards

If you handle customer's credit/debit card number, you must follow the standards of the Payment Card Industry Security Standards Council. The standard is applicable to any organisation that stores, transmits or processes cardholder information.

Find out how to protect your customers and achieve the Payment Card Industry Data Security Standard (PCI DSS) compliance; See accepting online payments.

  • ICO Northern Ireland
    028 9027 8757
Developed with:
  • Tourism NI