Building a Privacy by Design Program for a Regional Hospitality Leader

Case Study

Client Overview

A “Regional Accommodation Provider” * secured a high-profile contract with a multinational company placing its employees in accommodations worldwide. This contract required the provider to collect, manage, and protect sensitive personal data, including passports, nationalities, and other employee information. However, the Provider lacked a formal privacy program to meet the stringent contract requirements.

Recognizing the urgency, the Provider engaged Ethos to design and implement a phased Privacy by Design program tailored to meet their immediate needs while building a sustainable foundation for long-term compliance.

* Not the client’s real name. All identifying details have been changed to protect client confidentiality.

Challenges

Very limited privacy framework, policies, or processes in place.
Immediate need to comply with contractual requirements and global regulations.
Handling of sensitive personal data required secure processes for collection, retention, use, disclosure, and disposal.
Tight implementation timeline to fulfill contractual obligations.

Our Approach

Leveraging our proven Privacy by Design methodology, we conducted a comprehensive assessment of PackCo Solutions’ data handling practices & developed a tailored integration roadmap that aligned with Global Distributors’ privacy framework while ensuring compliance with GDPR & CCPA regulations.

Initial Triage and High-Priority Implementation

Conducted a Privacy Risk Assessment to identify the most urgent risks in handling sensitive personal data.
Implemented core privacy policies and procedures to address critical contractual requirements for data collection, retention, and disclosure.
Developed and deployed a Privacy Notice to ensure transparency with data subjects.
Established encryption and secure access controls for sensitive data to mitigate immediate risks.

Progressive Expansion of Privacy Services

Retention and Disposal Framework: Introduced automated data retention schedules and secure disposal procedures to ensure compliance with data minimization principles.
Employee Training: Delivered foundational training to ensure staff could immediately begin implementing privacy practices, followed by advanced role-specific training sessions.
Client Reporting Tools: Integrated systems for seamless communication and reporting to their clients regarding privacy compliance.

Long-Term Program and Continuous Improvement

Designed a Privacy by Design Framework to embed privacy considerations into all operations, ensuring future projects aligned with compliance requirements.
Set up an ongoing Audit and Monitoring Program to address evolving privacy regulations and maintain compliance.
Successfully implemented a comprehensive third-party risk management framework for our client, significantly enhancing their supply chain data privacy protection.
Established a dedicated Privacy Officer role to oversee long-term implementation and adaptation.

Results

Immediate Compliance Achieved

Provider met critical privacy requirements within the contract timeline, satisfying their client and preventing operational delays.

Scalable Solutions

Progressively implemented additional privacy services as resources allowed, creating a robust and adaptable privacy program.

Risk Mitigation

Reduced the risk of data breaches and regulatory penalties through secure data handling practices

Client Trust Strengthened

Demonstrated a commitment to privacy and security, cementing a strong partnership with their clients.

Client Testimonial

“The phased approach was exactly what we needed. Ethos helped us meet urgent privacy requirements without compromising quality. Their expertise in progressively adding services set us up for long-term success.”