The new General Data Protection Regulation (GDPR), significantly expands the data privacy and protection regime within the European Union (EU). The Casual Dining Group (The Group), alongside its suppliers and contractors, must comply with these rules where applicable.
The Group places high importance on information security and we have engaged in a companywide programme to address the requirements of GDPR and the use of data, specifically personal data. This involves working with our suppliers and partner organisations to ensure they can meet these obligations.
The key elements of our programme include:
- GDPR Gap Analysis – The Group has engaged the DPO Centre Ltd., in providing Data Protection Officer (DPO) services. Working with our in-house GDPR Steering Committee, our DPO has conducted a GDPR Gap Analysis. The Group has taken an agile approach in achieving the set targets. We continue to review all required policies and update to GDPR standard and enhance our systems and processes in response.
- Data Impact Assessments, Inventories and Mapping – The Group has conducted a Data Protection Impact Assessment (DPIA) across the organisation, which includes the preparation of a data asset register and identification of associated third party processors. As outlined under GDPR Articles 35 and 36, the DPIAs identify the relevant data components for ensuring adherence to the GDPR Principles. The DPIA describes the nature, scope, context, lawful basis and purposes of the processing; assesses necessity, proportionality and compliance measures; identifies and assesses risks to individuals; and identifies any additional measures to mitigate those risks. The data flow mapping identifies the collection, location, storage, sharing, security, retention and deletion of information across the complete data life cycle as applicable between The Group, its data subjects and third-parties.
- Policy Enhancement – The Group has updated policies to GDPR standard and has created new policies where required. This includes refreshing our Privacy Policies, Data Breach Policy, Supplier and Third-Party agreements, with a specific GDPR focus. Following the ICO recommendations, The Group is also adopting a new approach to Data Subject Access Requests for recording requests and sharing requested personal data. A new Data Protection Policy and a companywide Data Retention Policy has also been created.
- Training and Culture – We engaged Gateley PLC to conduct in-house GDPR training to various teams across the Group. An online training and assessment on GDPR data handling procedures and requirements have also been set up for staff. Staff are also informed of policies and procedures specific to their roles and departments via the staff online platform, regular communications and printed notices.
- Third-party relationships – Following our data mapping exercise, we have reviewed all third-party relationships that are in scope for compliance with GDPR Article 28, including all contractual agreements. We are working with these third parties to update agreements where needed, within the appropriate relationship terms; controllers, processors, suppliers and contractors.
- Technology – The Group continually reviews data and information security protection controls to maintain their efficiency and effectiveness, as outlined under Articles 25 and 32 of GDPR.
- Client Agreements (Business-to-Business) – The Group continues to respond to all Client Agreements and addendums that address the GDPR requirements. Also, in order to meet the requirements of GDPR Article 28(3), The Group has sent to all its clients a notification of all appointed sub-processors acting on its behalf, in order to meet the obligation to clients and data subjects.