A global hospitality company (the Company) initially partnered with Focal Point in October 2017 for GDPR readiness services, specifically to inventory and assess its IT systems – both at the franchisee- and corporate-levels – and provide an information mapping repository of the key processes and data flows throughout the organization. The Company sought to gain a better understanding of its current alignment with the GDPR. The Focal Point team created a prioritized implementation roadmap of the necessary remediation activities, leveraging a customized risk matrix and system ranking to ensure compliance at each level of operations. In 2018, the Focal Point Privacy team assisted in developing the Company’s Data Subject Rights program and led its CCPA compliance readiness efforts, which are currently ongoing.
Project Summary
Inventory and Assessment
Focal Point created a full inventory of the systems in the Company impacted by the GDPR, laying the groundwork to expertly scope the affected systems and prioritize remediation activities. Based on the Company’s experience and understanding of key IT and security controls, the Focal Point team created a GDPR Systems Control Matrix to identify and evaluate key controls within the scoped systems. Together, the GDPR Systems Inventory and Systems Control Matrix enabled Focal Point’s privacy team to identify specific implementation tasks and either recommend actions to remediate areas of non-alignment or define appropriate mitigating controls.
Information Mapping
For this engagement, the Focal Point team used targeted information questionnaires and initial discovery sessions to develop an Information Mapping Repository, which was then used to create detailed visual processing maps for a number of higher-risk data flows and processing activities.
These efforts ultimately provided valuable insights into the Company’s complete information lifecycle, identified several unforeseen and/or unintended uses of employee and customer personal information, and communicated the Company’s necessary technical and organizational safeguards across the organization, in franchisee and corporate operations alike. This enabled Focal Point’s team to successfully implement an entire data subject rights program as part of their GDPR remediation activities.
Success and Continued Support
The Company’s franchisee and corporate operations are now aligned with the requirements of the GDPR, reducing the risks of expensive and damaging penalties for noncompliance. The Focal Point team was also able to implement several technical enhancements during this engagement’s remediation activities, offering more governance and insight to the Company overall.
Following the success of the Company’s GDPR assessment and remediation implementation, the Company has continued to partner with Focal Point to lead its CCPA compliance readiness efforts. The Focal Point Data Privacy team is currently completing this initiative.