ICT and introduction to GDPR

Transcription

1 ICT and introduction to GDPR Presented by Anthony Murray Dalata Hotel Group plc Seán Graham PREM Group/Trinity Hospitality

2 ICT-Building for the future a bottom up approach. Planning for the IT future is like preparing the base for any soup. No matter what comes next the base ingredients are the same. It is only the final ingredients that will determine the flavour.

3 ICT-Building for the future a bottom up approach. The Story so far 2018 GDPR 2017 Cyber Security GDP R 2016 PCI PCI

4 ICT-Building for the future a bottom up approach Different focus to each one but a huge degree of commonality PCI Credit Card Handling & Storage Cyber Security and Risk GDPR Security of Data, and its use/ownership

5 ICT-Building for the future a bottom up approach. Significant element of common sense across all. If it feels icky it probably is If you don t train your team to do something/not do something they aren t going to do what you want them to do If you don t document you cannot track back If you leave the door open someone will walk in

6 ICT-Building for the future a bottom up approach. Do the little technical things right; Renew security licensing for AV, Mail Scanning, Firewalls Keep software & Operating Systems up to date Don t use generic logins & use complex passwords Delete/deactivate departed users from Network & Applications Monitor & Test Backups Dispose of IT Hardware safely

7 ICT-Building for the future a bottom up approach. Do the little things right with 3 rd parties; Check references, talk to people Look for certification Discuss Disaster Recovery Explore the What if s Understand where the responsibilities rest

8 ICT-Building for the future a bottom up approach. Do the little things right with people; Check references Train & Educate Monitor/Test Stop bad habits early, like written password Appoint someone to actively promote/verify compliance Dispose of IT Hardware safely

9 ICT-Building for the future a bottom up approach. So when it goes wrong have a plan and supports in place Technical Legal PR First 48 hours key

10 ICT-Building for the future a bottom up approach. Remember issues are often PICNIC Problem In Chair Not In Computer

11 ICT-Building for the future a bottom up approach.

12 ICT-Building for the future a bottom up approach.

13 Summary - What is GDPR? Replaces Existing EU Data Protection Directive GDPR = Wider Scope, raised standards and higher sanctions More Organisation will now be captured by EU data Protection Law. Fines of up to 4% of annual Group revenue or 20 Million.

14 Summary - What is GDPR? All businesses must comply with the regulations before the deadline date of May 25th 2018 GDPR does not only apply to EU countries, but any country handling EU data It will also apply to all companies in the UK, despite the aftermath of Brexit Data processors are also captured by the regulation marketing will now be based on an opt-in system

15 Right of Access. Individuals have the right to obtain from you confirmation as to whether or not personal data concerning them is being processed, and, where that is the case, access to that personal data. Right to Rectification. Individuals have the right to obtain from you the rectification of inaccurate personal data and the right to provide additional personal data to complete any incomplete personal data. Right to Erasure ( Right to be Forgotten ). In certain cases, individuals have the right to obtain from you the erasure of their personal data

16 Right to Restriction of Processing. Individuals have the right to obtain from you restriction of processing, applicable for a certain period and/or for certain situations. Right to Data Portability. Individuals have the right to receive from you in a structured format their personal data and they have the right to (let) transmit such personal data to another controller. Right to Object. In certain cases, individuals have the right to object to processing of their personal data, including with regards to profiling. They have the right to object at further processing of their personal data in so far as they have been collected for direct marketing purposes

17 Right to be Not Subject to Automated Individual Decision-Making. Individuals have the right to not be subject to a decision based solely on automated processing. Right to Filing Complaints. Individuals have the right to file complaints about your processing of their personal data with the relevant data protection authorities. Right to Compensation of Damages. In case you breach applicable legislation on processing of (their) personal data, individuals have the right to claim damages from you for any damages such breach may have caused with them

18 What does it mean for us? We need to look at all our process s, Front Office, HR, Sales and Marketing, Finance/Payroll, Social Media, Leisure/Golf, CCTV. We need to look at our staff training. We need to look at the Data we keep. ( Do we need to keep it?) Who has access to that Data? Where is that Data Stored and why is it stored?

19 Guests Lists Introduction to GDPR Some examples of Personal Data Held by a Hotel Reservations Lists Marketing / Advertising Contact Details Membership Data Employee Data Electronic Data such as CCTV Footage -Call Recordings. Payment Card Details

20 Registration Cards Reservations forms Housekeeping Lists left on Trolleys Restaurant Breakfast Lists Spa/Leisure Club questionnaires Unencrypted Laptops Out of Date Mailing Lists Areas of Potential Breach

21 Statutory Retention Periods for HR Data Statement of terms of Employment 1 Year following Termination of Employment Wages and Payroll records 3 Years from the date of Creation Records in relation to Collective Redundancy - 3 Years from the date of Creation Parental Leave Records 8 Years from the date of Creation Carers Leave - 3 Years from the date of Creation Employment Permit Records - 5 Years or equal period to duration of Employment Employment Records of young persons - 3 Years from the date of Creation

22 Statutory Retention Periods for Registration Data Under the Aliens Order of 1946, a proprietor of a hotel is required to keep a register of all persons staying in their property and retain this information for a period of 2 years. The proprietor has a duty to ascertain and enter or cause to be entered, On arrival of any person staying in his premises, the following particulars: Date of arrival, Persons name, Place of ordinary residence, Place of residence immediately before arrival at premises, nationality And on Departure Date of Departure and address to which the person is proceeding

23 Statutory Retention Periods for Financial Data According to the VAT Consolidation Act 2010 records are required to be kept for six years. Section 84 (3) lays out the requirement to hold invoices, credit notes, debit notes etc. In practice, a combination of night audit (digital or hard copy) and a backup of the PMS would suffice on the sales side. For purchases, we have to be in a position to provide copies of invoices we have used to reclaim VAT.

24

25

26

27

28

29

30 Thank You