Partner questions
Is there a process in place to periodically review and assess partners’ practices as they apply to guest information security policies?
Know your data and where it is
From a purely IT perspective, the first step should be to undertake a‘ data discovery’ exercise, keeping track of the vast reams of personal data that are received, processed and stored. It’ s essential to know what data is held, where it is, where it moves and who has access to it. This exercise avoids situations in which, for example, payment card information falls into the wrong hands or is stored on a device long after it’ s needed. If you don’ t know where PII and payment card data is, use a data discovery tool to locate it in your organisation. Once you know what type of data you have, you can decide how you want to handle it, given the Principles and Code of Practice you have defined for your organisation. You need to determine if it should be deleted, redacted, encrypted, placed in quarantine, or stored on a third-party system where it can be regularly accessed by staff within a safe environment. It’ s also important to establish policies for managing access rights and to ensure these are regularly audited.
PCI DSS & GDPR: hospitalitytoday laying foundations
. com | 19
For organisations that are PCI DSS compliant, the good news is that you already have the foundations in place and have taken appropriate steps, such as:
Maintaining an information security policy and establishing who is accountable for protecting data.
Placing and maintaining secure systems to prevent data breaches, including a firewall and continually updated anti-virus software, access controls and other systems designed to prevent data breaches.
Encrypting cardholder and other sensitive data. Encryption plays a major role in data protection; it’ s used when confidential information is sent across public networks.
Ensuring that your IT systems are set up adequately, and investing in up-to-date security technologies.
Call in the experts
The rules around GDPR are complex, and achieving compliance is no small undertaking, even for larger organisations. It may therefore make sense to offload compliance to third-party providers, who can let you accept and store documents safely in an accredited environment. This option frees the burden of compliance from internal IT staff, avoids the need to employ a dedicated, full-time security officer, and saves substantial sums required for maintaining compliance, year in and year out. Whatever you decide to do, one thing is certain: you need to plan. And, while we all tend to put off the inevitable, this time, you can’ t afford it. It’ s essential to prepare the groundwork now so that, come May 2018, you can be sure you’ re securing your customer’ s personal data. You need to be ready for GDPR.