ICT and introduction to GDPR - ihf.ie · ICT and introduction to GDPR Presented by Anthony Murray –Dalata Hotel Group plc Seán Graham –PREM Group/Trinity Hospitality

ICT and introduction to GDPR

Presented by

Anthony Murray – Dalata Hotel Group plc

Seán Graham – PREM Group/Trinity Hospitality

ICT-Building for the future

a bottom up approach.

• Planning for the IT future is like preparing the base for any soup. No matter what comes next the base ingredients are the same.

• It is only the final ingredients that will determine the flavour.

The Story so far

2018 GDPR

2017 Cyber Security

2016 PCI

GDPR

PCI

ICT-Building for the futurea bottom up approach.

Different focus to each one but a huge degree of commonality

• PCI – Credit Card Handling & Storage

• Cyber – Security and Risk

• GDPR – Security of Data, and its use/ownership

ICT-Building for the futurea bottom up approach

Significant element of common sense across all.

• If it feels icky…it probably is

• If you don’t train your team to do something/not do something they aren’t going to do what you want them to do

• If you don’t document you cannot track back

• If you leave the door open someone will walk in


Do the little technical things right;

• Renew security licensing for AV, Mail Scanning, Firewalls

• Keep software & Operating Systems up to date

• Don’t use generic logins & use complex passwords

• Delete/deactivate departed users from Network & Applications

• Monitor & Test Backups

• Dispose of IT Hardware safely


Do the little things right with 3rd parties;

• Check references, talk to people

• Look for certification

• Discuss Disaster Recovery

• Explore the “What if’s”

• Understand where the responsibilities rest


Do the little things right with people;

• Check references

• Train & Educate

• Monitor/Test

• Stop bad habits early, like written password

• Appoint someone to actively promote/verify compliance

• Dispose of IT Hardware safely


So when it goes wrong have a plan and supports in place

• Technical

• Legal

• PR

First 48 hours key


Remember issues are often PICNIC• Problem

• In

• Chair

• Not

• In

• Computer




Introduction to GDPRGDPR (General Data Protection Regulation)

Summary - What is GDPR?

Replaces Existing EU Data Protection Directive

GDPR = Wider Scope, raised standards and higher sanctions

More Organisation will now be captured by EU data Protection Law.

Fines of up to 4% of annual Group revenue or €20 Million.


Summary - What is GDPR?

All businesses must comply with the regulations before the deadline date of May 25th 2018

GDPR does not only apply to EU countries, but any country handling EU data

It will also apply to all companies in the UK, despite the aftermath of Brexit

Data processors are also captured by the regulation

Email marketing will now be based on an opt-in system


Right of Access.Individuals have the right to obtain from you confirmation as to whether or not personal data concerning them is being processed, and, where that is the case, access to that personal data.

Right to Rectification.Individuals have the right to obtain from you the rectification of inaccurate personal data and the right to provide additional personal data to complete any incomplete personal data.

Right to Erasure (“Right to be Forgotten”). In certain cases, individuals have the right to obtain from you the erasure of their personal data


Right to Restriction of Processing. Individuals have the right to obtain from you restriction of processing, applicable for a certain period and/or for certain situations.

Right to Data Portability.Individuals have the right to receive from you in a structured format their personal data and they have the right to (let) transmit such personal data to another controller.

Right to Object.In certain cases, individuals have the right to object to processing of their personal data, including with regards to profiling. They have the right to object at further processing of their personal data in so far as they have been collected for direct marketing purposes


Right to be Not Subject to Automated Individual Decision-Making.Individuals have the right to not be subject to a decision based solely on automated processing.

Right to Filing Complaints. Individuals have the right to file complaints about your processing of their personal data with the relevant data protection authorities.

Right to Compensation of Damages.In case you breach applicable legislation on processing of (their) personal data, individuals have the right to claim damages from you for any damages such breach may have caused with them


What does it mean for us?

We need to look at all our process’s, Front Office, HR, Sales and Marketing, Finance/Payroll, Social Media, Leisure/Golf, CCTV.

We need to look at our staff training.

We need to look at the Data we keep. ( Do we need to keep it?)

Who has access to that Data?

Where is that Data Stored and why is it stored?


Some examples of Personal Data Held by a Hotel

Guests Lists

Reservations Lists

Marketing / Advertising Contact Details

Membership Data

Employee Data

Electronic Data such as CCTV Footage -Call Recordings.

Payment Card Details


Areas of Potential Breach

Registration Cards

Reservations forms

Housekeeping Lists left on Trolleys

Restaurant Breakfast Lists

Spa/Leisure Club questionnaires

Unencrypted Laptops

Out of Date Mailing Lists


Statutory Retention Periods for HR Data

Statement of terms of Employment – 1 Year following Termination of Employment

Wages and Payroll records – 3 Years from the date of Creation

Records in relation to Collective Redundancy - 3 Years from the date of Creation

Parental Leave Records – 8 Years from the date of Creation

Carers Leave - 3 Years from the date of Creation

Employment Permit Records - 5 Years or equal period to duration of Employment

Employment Records of young persons - 3 Years from the date of Creation


Statutory Retention Periods for Registration Data

Under the Aliens Order of 1946, a proprietor of a hotel is required to keep a register of all persons staying in their property and retain this information for a period of 2 years.

The proprietor has a duty to ascertain and enter or cause to be entered, On arrival of any person staying in his premises, the following particulars:

Date of arrival, Persons name, Place of ordinary residence, Place of residence immediately before arrival at premises, nationality

And on Departure Date of Departure and address to which the person is proceeding


Statutory Retention Periods for Financial Data

According to the VAT Consolidation Act 2010 records are required to be kept for six years.

Section 84 (3) lays out the requirement to hold invoices, credit notes, debit notes etc.

In practice, a combination of night audit (digital or hard copy) and a backup of the PMS would suffice on the sales side.

For purchases, we have to be in a position to provide copies of invoices we have used to reclaim VAT.








Thank You

Documents

ICT and introduction to GDPR - ihf.ie · ICT and introduction to GDPR Presented by Anthony Murray –Dalata Hotel Group plc Seán Graham –PREM Group/Trinity Hospitality