GDPR readiness checker for independent hotels

Do you maintain a current data inventory listing every personal data category, the system it lives in, and the lawful basis for processing?

Are guest data retention periods defined and automatically enforced (deletion or anonymisation after N years)?

Do all third-party vendors processing guest data have a signed Data Processing Agreement (DPA) in force?

For non-EU vendors (US, UK, others), are Standard Contractual Clauses (SCCs) in place per the 2021 EU framework?

Have you documented a data breach response procedure with a 72-hour supervisory authority notification path?

Can guests exercise their data subject rights (access, deletion, portability) through a documented process within the 30-day GDPR window?

Is consent for marketing communications captured separately from the booking transaction (opt-in, not bundled)?

Are website cookies categorised and gated behind a compliant consent banner (per ePrivacy and 2023 EU enforcement)?

Is the privacy policy specific to your property (not a generic template) and dated within the last 12 months?

Are CCTV and recorded calls disclosed with legal-basis documentation and signage where required?

Have key staff received GDPR training in the past 12 months covering breach response and subject-rights requests?

Does your property meet the DPO appointment threshold (large-scale special-category processing or systematic monitoring), and is one appointed if so?