Hospitality Tech Best Practices For Protecting Consumer Data and Privacy
At iSeatz, we are committed to keeping consumer data secure. Given that we have clients in the financial services sector, we adhere to the most stringent security and privacy requirements. This goes beyond best practices, despite the added logistical complexity.
We focus on three major areas related to security and privacy. Each of these addresses a different set of privacy concerns, although there is substantial overlap.
The General Data Protection Regulation (GDPR) was enacted by the EU in 2016 and has quickly become the de facto “privacy” regulation in the world. The GDPR provides rights that allow any person within the EU (citizens of the EU or not) to control how their personal data is processed. It also provides for sweeping regulatory oversight of the companies that collect and process that personal data, including the threat of fines (to date, the largest single fine was a $230 million fine against British Airways).
The California Consumer Privacy Act (CCPA) goes into effect on January 1, 2020. The goal of the CCPA is to provide California residents with enhanced control over their own personal information. Specifically, it aims to educate residents on how businesses collect this personal information and what is done with the information that is collected. Furthermore, it allows these residents to decide how their information is used and retained by the businesses.
The Payment Card Industry Data Security Standard (PCI DSS) is a set of industry standards that apply to any company that accepts, stores, processes, or transmits credit/debit card information. These standards cover many different areas of security, from physical security of records to guidelines that help create secure payment solutions.
The Service Organization Control 2 (SOC II or SOC 2) is an audit procedure and certification that ensures that companies provide secure management of data. This certification is often used in conjunction with PCI DSS, but differs from those standards in that SOC II is tailored to the company seeking certification. iSeatz monitors our vendors for continued certification with SOC 2 procedures.
Privacy is a major subject of legislation within the United States and across the globe. Countries, states, and even municipalities continue to pass new legislation every year. Each is a little bit different, so we adhere to the most robust requirements of the various laws to ensure compliance with all.
Because so many of these policies are in their infancy, and ability to adjudicate and enforce is nascent, there is still significant confusion about who needs to adhere to which requirement. For example, if a company based in Nigeria processes payments for clients in South Africa, which go through a data center in France, which country’s privacy regulations must the company adhere to? The answer is “it depends,” and for the most part the company will want to match the most stringent requirements of the countries they do business in.
Privacy As A Shared Responsibility
iSeatz has a dedicated Privacy Committee. This cross-departmental team, made up of individuals from compliance, security, and operations, works to ensure privacy continues to be a top priority for iSeatz and that data is being handled in a secure manner. The Privacy Committee regularly reviews policies and procedures for areas of improvement and devises plans of action to ensure that iSeatz remains a leader for privacy initiatives.
Data Collection Mapping
The first step in ensuring that Personal Data is secure, is to know what data is being collected. Our Privacy Committee has identified all discrete data points we can collect on any given transaction in our OneView Platform. Each such data point is categorized using a risk assessment tool to gauge potential risk. iSeatz then implements risk mitigation strategies to minimize the potential impacts of these risks.
Our Risk Scoring Methodology measures the “Probability” of an event happening versus the “Impact” that such an event may have upon iSeatz and our clients.
Certain data points such as name, address, and SSN are sensitive on their own. Other pieces of data may not necessarily be sensitive by themselves, but when combined with another piece of data become sensitive. So we also need to track whether non-sensitive data points intersect in a way that makes them become sensitive. If so they need to be treated as sensitive data anywhere they are stored or viewed together.
The Privacy Committee additionally identifies what information needs to be stored, and documents the reason for retention of this data. All personally sensitive information is encrypted both in-transit and at-rest.
Knowing How the Data is Used, and Who Sees it
iSeatz has protocols in place for individuals who handle personally sensitive data from our systems. We ensure that only employees who have a valid business purpose are allowed access to Personal Data. Access is granted on an as-needed basis – a software engineer who needs to access personal data for a particular project will not have global access, nor will their access persist after project completion.
A multi-factor authentication process provides deep security. Additionally, all staff are mandated to complete regular training on PCI standards, privacy protection, secure coding practices, and undergo regular simulated phishing tests and training . As a result, our staff regularly achieves results over 10% higher than the industry benchmark (drawn from a data set of 9 million users across 18,000 companies).
The Privacy Committee tracks where the encrypted data is sent. Data flows are mapped so that iSeatz has a record of which vendors or programs have processed the data. We only work with vendors who match our security levels and agree to abide by all relevant contractual and legal privacy terms.
Working with Clients to Further Our Privacy Initiatives
We work very closely with our business partners, both up- and down-stream, to confirm that we are all using the same measures to keep customer data safe and secure. We continuously monitor current privacy trends and regulations to ensure that we meet or exceed current privacy standards. Utilizing leading tools, iSeatz continually conducts Data Mapping and Risk Management assessments. These assessments help us monitor what data we collect, determine the need for collecting that data, and ensure that all personal data is secure.
Privacy has been called “the new corporate culture” by some. For tech organizations, particularly those with a global footprint, strong privacy regulations are a competitive prerequisite and a key part of due diligence. With companies facing fined millions of dollars in fines because of data retention and responding to major data breaches, privacy simply must be a top priority.
If you need assistance creating your privacy policies, or working towards any compliance measures, we can help. Please visit www.iseatz.com/contact-us