Focal Point’s GDPR and global privacy services client (“the Company”) is a recognized leader in the hospitality and travel leisure industry, representing a number of brands and one of the world’s largest fleets of cruise liners and luxury vessels. As a Fortune 500 company and a globally recognized organization, the Company employs over 120,000 staff members to support both its land-based and on-sea operations – accommodating more than 11.5 million guests from several hundred ports of call around the globe.
In early 2016, the Company recognized the pending shift in global privacy trends and the precedent set by Europe’s GDPR legislation. The Company knew it needed to implement significant technical and operational changes to align with the GDPR’s new requirements, but they also understood that these remediations were likely to become necessary throughout its operations as other countries followed suit, passing similarly stringent privacy regulations of their own.
To stay ahead of the curve, the Company selected Focal Point’s Data Privacy team to not only ensure its compliance with GDPR by May 2018, but to also fully assess and implement the necessary remediations in its operations globally. The Company wanted to align with both the GDPR and evolving privacy demands around the world. The Company partnered with Focal Point to develop and implement a new data privacy program, one which was able to better govern the collection and usage of personal data in the dawning era of privacy awareness.
Towards Global Compliance
As a result of the Company’s complex usage, storage and transfer practices, the Focal Point team first established an understanding of the key data processes, existing privacy and security safeguards, and current alignment to applicable EU standards, including recent GDPR mandates. Focal Point identified four objectives during the initial evaluation:
- Identify assets and map information related to the collection, processing, transferring, and storage of personal information from both employees and guests
- Assess the Company’s current alignment with GDPR and develop a roadmap that would outline its operational and technical needs for ensuring full GDPR alignment, leveraging a proven risk-based approach and prioritizing necessary actions
- Recommend and implement privacy program function enhancements to establish sustainable options for maintaining these processes and assets
- Develop a privacy impact assessment program capable of identifying and managing current privacy risks and addressing similar global and regional regulations
Success and Continued Support
Following the success of these efforts, the Focal Point team was able to identify all of the Company’s impacted systems, both in-house and those that were hosted by external third parties. Focal Point delivered a multi-phased remediation and program development project plan that addressed gaps in the Company’s technical- and security-related controls throughout the information lifecycle. Using industry tools and tee information gained from expertly led discovery sessions – across geographically dispersed operations – Focal Point delivered a sustainable privacy program capable of meeting the Company’s data privacy requirements in the face of changing global demands. The Focal Point Data Privacy team has continued to support these program assessment and implementation needs over the years.