Vendor liability and oversight: Hotels and online travel agencies remain accountable for guest data even when processed by third‑party vendors (bookings, payments, cloud). Weak vendor security can expose them to DPDPA penalties.
Data retention and minimisation: The act requires that data be deleted once its intended purpose is fulfilled. Large, unmanaged repositories of guest data should be minimised to reduce the risk of breaches and ensure compliance.
Consent and transparency: Using guest data for profiling, marketing, or loyalty programs demands explicit, granular, and easily revocable consent. Any hidden or opaque practices don’t just risk non-compliance, they can lead to serious reputational damage and legal consequences.
Security and breach response: DPDPA mandates robust safeguards and prompt breach notifications. Hospitality businesses must go beyond compliance – fortify encryption, tighten access controls, and implement rapid incident response to protect sensitive guest data and preserve trust.
IoT and emerging risks: Smart rooms, connected locks, and loyalty programs dramatically expand the attack surface. Under DPDPA, organisations must secure every IoT device and apply heightened protection to high-profile guest data – because one weak link can compromise trust and trigger severe penalties.
Privacy: From check-in to check-out
DPDPA demands strong vendor oversight, data minimisation, clear consent, rapid breach response and protection across IoT and smart rooms
Key Contacts
Vivek Agarwal
Partner and Head - Public Infrastucture, Lead - Industrial and Infrastructure Development Advisory, Government and Public Services
KPMG in India
Nitin Shah
Partner – Digital Trust, Head – Cyber Security, Resilience and Privacy Strategy & Governance
KPMG in India
Shikha Kamboj
Partner, Digital Trust, National Leader, Data Privacy and Ethics
KPMG in India
How can KPMG in India help
Access our latest insights on Apple or Android devices
