Hospitality and Its Regulatory Burden
GRC Labs allows large hospitality organizations to manage their compliance and risk efforts in a simple and easy to use GRC solution so they can turn these efforts in increasing customer trust, and in turn, revenue.
The hospitality industry thrives by collecting data so they understand their customers behavior and can anticipate their needs. They also try to design as many as self-service options as possible like automated check-in; room entry by smart phone; location-based services, and so forth, both to keep costs low and to give the customer as much control as he wants over his stay.
And for large hospitality businesses with many outlets, the business wants to achieve uniformity of experience: a high-value customer is always pre-booked into his preferred room, with the same gift basket waiting, and the same meal discount arriving via email 20 minutes after she checks in.
Consider some of the data a hospitality chain is likely to collect are 1.Personal Identifiable Information, 2. Sensitive financial information, 3. Customer purchasing behavior data, 4. Data security and privacy policies 5. Data retention policies.
Hospitality businesses today also live or die on preferred customer programs — so they also collect user IDs, passwords, and possibly location data.
All of that data is subject to protection from multiple laws and regulation, that can reach across multiple jurisdictions. A United States hotel chain, for example, might be subject to European Union data privacy law if it rents rooms to European Union citizens. Any data collected about minors requires parental consent. Credit card data is protected by federal law. User IDs might be stored on multiple devices that the customer owns.
Compliance Objective
Businesses can work with multiple frameworks to achieve those objectives. Credit cards can be secured with the PCI DSS framework. Other sensitive data can be governed by the NIST security protocols or the ISO framework. Tracking risk assessments, gap analyses, and remediation efforts across multiple frameworks, however, can be daunting.
Assess vulnerabilities in the network and application layers;
Remediate any weaknesses, either through security patches to software or through changes to data collection practices.
Be able to report those risk assessments and remediations to other parties as necessary.
Study data collection practices for non-compliant behaviors (say, failure to secure consent for collecting data from EU citizens).
Map progress on those remediation efforts.
Integrate new threat alerts or updated regulations into your compliance program as they come along.