This means you need to have at least one lawful reason for processing Personal Data.
If you don’t have at least one lawful reason your business is in breach of GDPR.
Helpfully, GDPR identifies six lawful reasons for you to choose from:
Source: Information Commissioner’s Office, Overview of the General Data protection Regulation (GDPR) 17th August 2017, licensed under the Open Government Licence
In reality, hotel businesses are likely to make use of the first two on that list. Your business will need Consent from the Data Subject as the bare minimum. It is best if you’re able to cite two lawful reasons for processing data. Item 6 “Legitimate Interest” may also be available to you IF you prepare properly.
Your other lawful reason for processing personal information will probably be for the “performance of a contract”.
Occasionally you may be able to use “compliance with a legal obligation”. Using the terms of the liquor licensing law for example.
“Safeguarding the vital interests of a Data Subject” might become relevant when handling certain aspects of employee data. But you really need to seek a qualified legal opinion in each case.
Item 6 “Legitimate Interests Pursued By The Controller” is going to be an option, in some cases, to allow good direct marketing to take place. It is possible that this could signal a resurgence in direct mail for example. GDPR appears to recognise that it is quite reasonable for a business to wish to add value to a relationship with a customer, or to seek new customers using “Legitimate Interest” instead of consent as a lawful reason for processing personal data.
However. Be aware that if you want to make use of this reason for sending out direct marketing pieces, you need to be able to illustrate that you have thought things through, planned carefully and observed the interests of the private individuals involved. You should complete a “Legitimate Interest Assessment” (LIA) before you send anything to anyone.