Upload
hakiet
View
217
Download
1
Embed Size (px)
Citation preview
ICT and introduction to GDPR
Presented by
Anthony Murray – Dalata Hotel Group plc
Seán Graham – PREM Group/Trinity Hospitality
ICT-Building for the future
a bottom up approach.
• Planning for the IT future is like preparing the base for any soup. No matter what comes next the base ingredients are the same.
• It is only the final ingredients that will determine the flavour.
The Story so far
2018 GDPR
2017 Cyber Security
2016 PCI
GDPR
PCI
ICT-Building for the futurea bottom up approach.
Different focus to each one but a huge degree of commonality
• PCI – Credit Card Handling & Storage
• Cyber – Security and Risk
• GDPR – Security of Data, and its use/ownership
ICT-Building for the futurea bottom up approach
Significant element of common sense across all.
• If it feels icky…it probably is
• If you don’t train your team to do something/not do something they aren’t going to do what you want them to do
• If you don’t document you cannot track back
• If you leave the door open someone will walk in
ICT-Building for the futurea bottom up approach.
Do the little technical things right;
• Renew security licensing for AV, Mail Scanning, Firewalls
• Keep software & Operating Systems up to date
• Don’t use generic logins & use complex passwords
• Delete/deactivate departed users from Network & Applications
• Monitor & Test Backups
• Dispose of IT Hardware safely
ICT-Building for the futurea bottom up approach.
Do the little things right with 3rd parties;
• Check references, talk to people
• Look for certification
• Discuss Disaster Recovery
• Explore the “What if’s”
• Understand where the responsibilities rest
ICT-Building for the futurea bottom up approach.
Do the little things right with people;
• Check references
• Train & Educate
• Monitor/Test
• Stop bad habits early, like written password
• Appoint someone to actively promote/verify compliance
• Dispose of IT Hardware safely
ICT-Building for the futurea bottom up approach.
So when it goes wrong have a plan and supports in place
• Technical
• Legal
• PR
First 48 hours key
ICT-Building for the futurea bottom up approach.
Remember issues are often PICNIC• Problem
• In
• Chair
• Not
• In
• Computer
ICT-Building for the futurea bottom up approach.
Introduction to GDPRGDPR (General Data Protection Regulation)
Summary - What is GDPR?
Replaces Existing EU Data Protection Directive
GDPR = Wider Scope, raised standards and higher sanctions
More Organisation will now be captured by EU data Protection Law.
Fines of up to 4% of annual Group revenue or €20 Million.
Introduction to GDPRGDPR (General Data Protection Regulation)
Summary - What is GDPR?
All businesses must comply with the regulations before the deadline date of May 25th 2018
GDPR does not only apply to EU countries, but any country handling EU data
It will also apply to all companies in the UK, despite the aftermath of Brexit
Data processors are also captured by the regulation
Email marketing will now be based on an opt-in system
Introduction to GDPRGDPR (General Data Protection Regulation)
Right of Access.Individuals have the right to obtain from you confirmation as to whether or not personal data concerning them is being processed, and, where that is the case, access to that personal data.
Right to Rectification.Individuals have the right to obtain from you the rectification of inaccurate personal data and the right to provide additional personal data to complete any incomplete personal data.
Right to Erasure (“Right to be Forgotten”). In certain cases, individuals have the right to obtain from you the erasure of their personal data
Introduction to GDPRGDPR (General Data Protection Regulation)
Right to Restriction of Processing. Individuals have the right to obtain from you restriction of processing, applicable for a certain period and/or for certain situations.
Right to Data Portability.Individuals have the right to receive from you in a structured format their personal data and they have the right to (let) transmit such personal data to another controller.
Right to Object.In certain cases, individuals have the right to object to processing of their personal data, including with regards to profiling. They have the right to object at further processing of their personal data in so far as they have been collected for direct marketing purposes
Introduction to GDPRGDPR (General Data Protection Regulation)
Right to be Not Subject to Automated Individual Decision-Making.Individuals have the right to not be subject to a decision based solely on automated processing.
Right to Filing Complaints. Individuals have the right to file complaints about your processing of their personal data with the relevant data protection authorities.
Right to Compensation of Damages.In case you breach applicable legislation on processing of (their) personal data, individuals have the right to claim damages from you for any damages such breach may have caused with them
Introduction to GDPRGDPR (General Data Protection Regulation)
What does it mean for us?
We need to look at all our process’s, Front Office, HR, Sales and Marketing, Finance/Payroll, Social Media, Leisure/Golf, CCTV.
We need to look at our staff training.
We need to look at the Data we keep. ( Do we need to keep it?)
Who has access to that Data?
Where is that Data Stored and why is it stored?
Introduction to GDPRGDPR (General Data Protection Regulation)
Some examples of Personal Data Held by a Hotel
Guests Lists
Reservations Lists
Marketing / Advertising Contact Details
Membership Data
Employee Data
Electronic Data such as CCTV Footage -Call Recordings.
Payment Card Details
Introduction to GDPRGDPR (General Data Protection Regulation)
Areas of Potential Breach
Registration Cards
Reservations forms
Housekeeping Lists left on Trolleys
Restaurant Breakfast Lists
Spa/Leisure Club questionnaires
Unencrypted Laptops
Out of Date Mailing Lists
Introduction to GDPRGDPR (General Data Protection Regulation)
Statutory Retention Periods for HR Data
Statement of terms of Employment – 1 Year following Termination of Employment
Wages and Payroll records – 3 Years from the date of Creation
Records in relation to Collective Redundancy - 3 Years from the date of Creation
Parental Leave Records – 8 Years from the date of Creation
Carers Leave - 3 Years from the date of Creation
Employment Permit Records - 5 Years or equal period to duration of Employment
Employment Records of young persons - 3 Years from the date of Creation
Introduction to GDPRGDPR (General Data Protection Regulation)
Statutory Retention Periods for Registration Data
Under the Aliens Order of 1946, a proprietor of a hotel is required to keep a register of all persons staying in their property and retain this information for a period of 2 years.
The proprietor has a duty to ascertain and enter or cause to be entered, On arrival of any person staying in his premises, the following particulars:
Date of arrival, Persons name, Place of ordinary residence, Place of residence immediately before arrival at premises, nationality
And on Departure Date of Departure and address to which the person is proceeding
Introduction to GDPRGDPR (General Data Protection Regulation)
Statutory Retention Periods for Financial Data
According to the VAT Consolidation Act 2010 records are required to be kept for six years.
Section 84 (3) lays out the requirement to hold invoices, credit notes, debit notes etc.
In practice, a combination of night audit (digital or hard copy) and a backup of the PMS would suffice on the sales side.
For purchases, we have to be in a position to provide copies of invoices we have used to reclaim VAT.