Latest legislative updates

Kurt JansonKurt Janson, Director of the Tourism Alliance, gives a monthly update on the latest regulatory changes affecting the hospitality industry. 

Last updated 8th February 2018

Disclaimer:  Whilst every effort has been made to ensure the accuracy of the information contained in the Pink Book of Legislation, we regret that we cannot be responsible for any errors. This guide is not intended to be a definitive statement of the law in England. If you require precise or detailed information on the legislation mentioned in this guide, or on the legal implications for you in particular, you should consult a professional legal adviser.

At a glance:

Reminder: Ban on Card Charges

  • As of 13th January you are no longer able to charge customers extra for paying by card.

Changes to Primary Authority

  • Trade Associations are now able to sign Primary Authority agreements on behalf of their members, standardising regulatory requirements.

Prepare now for changes to Data Protection Regulations

  •  The General Data Protection Regulation (GDPR) comes into force on 25th May 2018, replacing the Data Protection Act (DPA).

Reminder: Ban on Card Charges

Remember that the law changed on the 13th January 2018 so you are no longer able to charge a processing fee for receiving payments via credit or debit card. This includes all payment methods linked to a card, such as PayPal or Apple Pay.

This new legislation has been brought in to prevent situations where the customer goes through a booking process only to find that charges are applied right at the end when the customer is about to pay – a practice that was relatively common in some sectors such as the aviation industry. As a consequence, you will now have to either absorb the cost of card payments or increase prices accordingly.

There is a quirk in that the new law only applies to purchases made by personal consumers and not to purchases made by businesses. So, if your customer is a business (e.g., a company booking rooms for an away day or someone travelling on business) then you are allowed to charge a card processing fee, provided that it is no more than the cost to you of processing the transaction.

However, in this situation it is important to note that a business traveller must be using a business card for you to charge a fee. You cannot charge a card processing fee if the business traveler is using their personal card, regardless of whether they will reclaim the accommodation as a business expense later.

There is currently a debate as to whether the new legislation allows you to introduce a ‘booking fee’ or ‘service charge’, provided that this charge is applied uniformly regardless of how the payment is made. For example, Deliveroo have recently replaced their 50p card surcharge fee with a 50p service fee, which is applied regardless of whether someone pays by card or with cash.

However, this approach is being challenged and the Advertising Standards Authority has pointed out that current legislation requires that all non-optional charges be included in or alongside the advertised price. Therefore, if you were to charge a separate booking fee, you would need to put this alongside your advertised prices and not simply add it to the cost at the end of the booking process.

Changes to Primary Authority

Councils interpret and enforce regulations in different ways, which can create confusion and additional work for businesses, especially those that operate multiple premises across the country. For example, if you operated a budget hotel chain you would need to ensure that the standard fire protection system you designed would comply with the requirements of every local Fire Safety Officer.

This problem led the Government to introduce the concept of Primary Authority in 2009. Primary Authority is a legal process designed to improve regulatory enforcement and a way to resolve the challenge of inconsistency in approach by different Local Authorities and enforcement bodies.

Primary Authority allows multiple-authority companies (such as a budget hotel chain) to sign a Primary Authority agreement with a chosen Local Authority, which agrees standard risk assessments and inspection plans for specific regulatory areas (e.g. fire or food safety). This agreement would then override any additional requirements by another Local Authority and provide a standard set of requirements to be followed across the country.

The Government has now expanded the scope of Primary Authority so that Trade Associations are able to sign Primary Authority agreements with Local Authorities on behalf of their members. So if you are a member of a Trade Association, they will now be able to develop and implement a Primary Authority on your behalf.

For example, the British Hospitality Association (BHA) has recently created a partnership with Cornwall Council, which is a Primary Authority for the catering sector. This means that all BHA member businesses who opt in can be assured they will be held to one consistent hygiene standard.

For more information, read the Primary Authority information page on the website.

Prepare now for changes to Data Protection Regulations

The General Data Protection Regulation (GDPR) comes into force on 25th May 2018, replacing the Data Protection Act (DPA).

Generally, the requirements of the GDPR are much the same as the requirements of the DPA. This means that if you are complying with the DPA at the moment, then you probably do not need to change your current system of collecting, handling and storing customer data. You will need to concentrate on the additional requirements and modify your system accordingly.

The main changes are:

1.The Right to be Forgotten

This is the main change.  A customer can, at any time, request that you remove all their personal data from your system. If the customer has previously agreed that you could provide their data to a third party, you must also stop doing this if you receive a Right to be Forgotten request.  However, it is important to note that any Right to be Forgotten request does not override requirements to hold information under other legislation. For example, you are required by law to keep financial records for seven years, therefore a customer cannot request that you delete records of any financial transactions they undertook in the last seven years.

2. Improving Consent and Withdrawal of Consent

The conditions for consent have been strengthened so that you must be clear and upfront with customers about what exactly they are consenting to when they sign-up. This is to stop companies hiding the details in their terms and conditions. So, if you are planning to pass their information on to a third party and to email them a newsletter, you must tell them in simple and clear language next to the box they are ticking. 

Importantly, it must be as easy for customers to withdraw consent as it is to give consent.​ So if you have a simple tick-box online where customers give consent, then there should also be a simple tick-box online to withdraw consent.

3. Right to Access

The GDPR also expands the rights of customers to access the information that you hold on them. This has two parts – first, on request from the customer, you are required to inform them if personal data concerning them is being processed, where and for what purpose. Second, if requested, you must provide a copy of all the personal data you hold on the person electronically and free of charge. This includes any information you have made on the person’s file so if you have added notes such as, “likes the Sunday Times”, “owns a Spaniel called Arthur” or “never leaves a tip”, you also need to provide this information.

4. Notification of Data Breaches

The GDPR will require you to notify the Information Commissioners’ Office within 72 hours of first having become aware of the breach where that breach is likely to “result in a risk for the rights and freedoms of individuals”. For any breach, you are required to notify the customers “without undue delay” after first becoming aware of a data breach.

Although May 2018 is still some time away, it is worth thinking about the impact of these changes on your business now to schedule any amendments that you need to make into your website maintenance and company policy manual update programmes.