Restaurant chain TGI Fridays UK has deployed Governance, Risk and Compliance vendor SureCloud’s GDPR suite to centralise and track its data and GDPR compliance, ensuring that the restaurant is equipped to meet GDPR requirements and to efficiently manage, store and analyse data. This solution replaces TGI Fridays’ manual data mapping and processing methods.
When TGI was looking for a solution to streamline its GDPR compliance processes, it approached SureCloud in late 2017, and committed to using the SureCloud GDPR Application Suite in December 2017. This also came at a time when TGI was using a ‘cumbersome’ Excel spreadsheet to produce its annual report and was in the process of conducting a review of its suppliers. These lacked the reporting capabilities that the restaurant needed to fulfil its GDPR requirements.
Its recommendation was the SureCloud GDPR Suite, delivered on the SureCloud platform. SureCloud has enhanced TGI’s ability to manage and provide reports on data subjects. Data can now be stored in a single centralised platform, which provides access for multiple users in TGI. After SureCloud had successfully demonstrated the ability to provide full visibility for management and automation of GDPR processes across the organisation, TGI selected its cloud-based suite of solutions.
The five applications TGI Fridays chose to deploy from the SureCloud GDPR Suite were:
- GDPR Program Tracker – to enable TGI to map all its disparate data and workflows using intelligent risk-based questions
- GDPR Management – to provide all mandatory GDPR business-as-usual processes
- Information Asset Management – to record and maintain the TGI’s entire data inventory
- Compliance Management for GDPR – to help TGI speed up their process of attaining compliance and on-going real-time risk remediation
- Incident Management for GDPR – to meet the GDPR requirement to log, track and notify the ICO of any data breaches, should an incident arise
TGI can now build and maintain information assets in a register, which provides instant reporting and analysis of data subjects. TGI is using Data Privacy Impact Assessments to identify and minimise the privacy risks of new projects, systems or policies. Its Data Risk Management (DRM) solution is recording interactions with people and providing clearer oversight and analysis of its retention policies. Moving forward, TGI is conducting a biannual statistical analysis of its data subjects to identify and measure levels of risk across the business. The solution also facilitates assessments and aggregates the data from TGI Fridays’ suppliers making it easier to grade suppliers and their risks without having to extract the data from multiple different spreadsheets, accelerating the vendor risk assessment process.
Jeremy Dunderdale, IT Manager at TGI Fridays said:
“Since 2010 we had used the SureCloud platform for vulnerability testing and when we needed to conduct our third-party risk management assessment, we were working from a cumbersome Excel spreadsheet which we were using to send out annually, and we also had to review our suppliers. We then turned on the third-party risk management assessment module around 18 months ago to start utilising this. We were aware of other features of the GDPR Suite and were conscious that what we needed under GDPR – spreadsheets did not cut it.
“Everything is now brought together in a single location. We grade the system according to low, medium and high risk. It is all in the system meaning we now no longer need to look at 20 to 30 different spreadsheets. It pools the risks out of each individual spreadsheet. It is showing it on an overall platform. That is the benefit and what is nice is that it helps in a way with GDPR to ensure we appoint suppliers who have decent processes in regard to security.”
TGI has put together an updated third-party risk management assessment, which its current and future suppliers who do or aspire to provide IT services for the retailer must undergo and adhere to. TGI prepared a modern slavery questionnaire for over 100 of its suppliers, as part of its commitment to good due diligence and that all its suppliers must meet high standards of IT security and are ISO27001 or another equivalent.
Jeremy Dunderdale added:
“Some people still think quantity of data is important not the quality of data. We had over 2 million data subjects before 25th May, but what we are realising now is that it is the quality of data that matters. SureCloud means we can now do more with the data we have such as monitoring retention policies, which is invaluable for us. We are happy to be with SureCloud; they are a good fit and the solution has implemented well into the business.”