GDPR for holiday lets: a plain guide for hosts

The moment you take a booking, you are handling someone’s personal data: their name, their email, maybe a phone number, an arrival time and a payment. GDPR for holiday lets is simply the set of rules for doing that responsibly, and for a one-cottage owner it is far less daunting than the acronym suggests. This is a plain-English guide to what UK holiday-let hosts actually need to do, written for people who let homes, not lawyers.

A quick, honest caveat first: this is general guidance to help you get oriented, not legal advice. For anything specific, the Information Commissioner’s Office (ico.org.uk) is the free, authoritative source, and a short call with a professional is worth it if you run at scale.

You are the “data controller”

Under the UK GDPR and the Data Protection Act 2018, the person who decides why and how personal data is used is the “data controller”. When you collect a guest’s details to fulfil a booking, that is you. The booking platform (Airbnb, Vrbo, Booking.com) is a controller for the data it holds, but the spreadsheet of guest emails on your laptop, the arrival notes, the guestbook entries, that is yours to look after.

Being a controller is not a burden to fear. It mostly means being deliberate about a few sensible things, set out below.

What guest data do you actually hold?

Start by listing it, because you cannot protect what you have not mapped. For a typical holiday let it is usually:

• Booking details: name, dates, party size, and contact email or phone.
• Payment information (normally held by the platform or Stripe, not by you directly).
• Arrival and access notes, sometimes a vehicle registration for parking.
• Any ID you ask for at check-in, and CCTV footage if you have a camera.
• A marketing list, if you email past guests.
• Guestbook messages and reviews.

The single most useful habit is data minimisation: only collect what you genuinely need. If you do not need a guest’s passport scan, do not ask for it. Less data held is less data to secure, and less to worry about.

Do you need to register with the ICO?

Most organisations that process personal data must pay the ICO an annual data protection fee, and the lowest tier is modest. Some small operations are exempt, and the rules are genuinely fiddly, so do not guess. The ICO has a free self-assessment that tells you in about a minute whether you need to register and pay. Do that, keep the result, and set a reminder to renew. If you let through an agency, ask who is registered for what.

Write a short privacy notice

GDPR expects you to tell guests, in plain terms, what you do with their data. That is a “privacy notice”, and it does not need to be long. It should cover what you collect, why, your lawful basis (for a booking this is usually performing a contract, with consent for any marketing), how long you keep it, who you share it with, and how a guest can ask to see or delete their data.

You do not have to write it from a blank page. Our own privacy notice is a working example of the structure, and our sub-processor list shows how to be transparent about the third parties involved. Put a link to your notice wherever you collect data.

Keep it secure, and do not over-share

Most real-world problems are not dramatic hacks; they are an unlocked laptop, a shared spreadsheet, or a guest list emailed to the wrong cleaner. A few plain habits cover most of it:

• Use reputable tools with their own security, rather than loose spreadsheets and email threads.
• Limit who can see guest data to the people who need it.
• Use strong, unique passwords and two-factor authentication on anything holding guest details.
• Do not paste guest personal data into a public welcome guide or a shared document.

This is also where the format of your guest welcome guide matters. A guide that asks guests to log in, or that tracks them with advertising cookies, quietly creates data you then have to account for. StayBinder is built the other way on purpose: guests open the guide by scanning a QR code with no app and no login, the analytics are cookie-free and anonymous, and every guestbook entry waits for your approval before it appears. There is simply less guest data created, which is the easiest compliance of all.

Set a retention period, then actually delete

“Storage limitation” means you should not keep personal data forever. Decide how long you genuinely need each thing, your accountant will have a view on financial records, then delete the rest on a schedule. A guest who stayed three years ago does not need to be on your active contact list unless they asked to be.

If something goes wrong

A personal data breach is any loss or unauthorised exposure of personal data, a lost phone with the guest list, an email sent to the wrong person, a compromised account. If a breach is likely to risk people’s rights, you must report it to the ICO within 72 hours, and tell the affected guests if the risk is high. The practical takeaway: keep a short note of what you would do, and reduce the surface area by holding less data in fewer places in the first place.

A short checklist

1. List the guest data you hold and where it lives.
2. Cut anything you do not actually need.
3. Run the ICO self-assessment and register if required.
4. Publish a plain privacy notice wherever you collect data.
5. Secure your tools: access limits, strong passwords, two-factor.
6. Set retention periods and delete on schedule.
7. Know the 72-hour breach rule before you ever need it.

Handled this way, GDPR for a holiday let is mostly common sense written down. If you run several properties, the same duties scale up, and our notes for property managers cover keeping a portfolio consistent. And when you build the guest-facing side, a guide that holds less data by design, like the one in our guest information book guide, is the calmest place to start. You can try StayBinder free for 14 days, no card needed.