TGI Fridays implements SureCloud’s applications to help accelerate and manage their compliance and risk strategies.
American restaurant chain TGI Fridays UK have deployed SureCloud’s Third Party Risk Management and GDPR solutions to work towards meeting the requirements of the GDPR, optimize internal processes and manage risk across its network of suppliers. Having used SureCloud’s Penetration Testing Services and Vulnerability Management Software for a number of years, TGI Fridays UK approached SureCloud to replace its manual, spreadsheet-based processes for risk management and compliance.
TGI Fridays have 84 restaurants in the UK. Therefore, their network of suppliers, employees, and guests are extensive. With details in excess of 5,000 active employees in the UK and 34,000 employee records, along with data on guests making bookings, using the company’s loyalty app, and making payments by credit or debit cards, etc., its records span in excess of 2 million data subjects.
Streamlining Third Party Risk Management
At the start of 2017, TGI Fridays UK decided to update its vendor risk management processes. This was based on a manual, spreadsheet-based system which involved sending spreadsheets to individual suppliers for vendors to complete and then TGI Fridays UK had to collate the results. As this involved over 20 suppliers who have access to TGI Fridays UK networks or data, the process was cumbersome and time-intensive. The chain wanted a solution that would help to accelerate and automate the process. Having used SureCloud’s Platform for their Cybersecurity needs, TGI Fridays UK decided to evaluate the SureCloud Third Party Risk Management solution.
Using the Third Party Risk Management solution, TGI Fridays UK has put together an updated third-party risk management process, which its current and future suppliers must pass as part of the company’s rigorous oversight of its supply chain: “Essentially before we appoint a new supplier they must complete a third-party risk assessment as part of our due diligence. This helps us assess whether they have good IT security policies in place, ensure they follow industry best practice security processes and if they are ISO27001 compliant, and so on,” said Jeremy Dunderdale, Head of Business Solutions at TGI Fridays.
The solution facilitates assessments and aggregates the data from TGI Fridays’ suppliers making it easier to grade suppliers and their risks without having to extract the data from multiple different spreadsheets, accelerating the vendor risk assessment process.
Moreover, TGI Fridays UK have taken a fresh look at its risk management policies across its business: “As a wider project, we also used the Risk Management module to handle a Modern Slavery questionnaire for every supplier across the entire chain of over 100 suppliers,” Dunderdale said. “We were able to set the survey questions, while the application’s functions and dashboard could handle the rest, enabling us to demonstrate compliance with the 2015 Modern Slavery Act.”
GDPR compliance processes
Having adopted the SureCloud platform for Third Party Risk Management, TGI Fridays saw that it was also able to consolidate its Vulnerability Management and GDPR project on the same platform.
“Gaining a centralized system started with risk management. This made us realize the power of the SureCloud platform and what solutions it could offer. It also helped us realize that to meet the requirements of GDPR, a paper-based process was not going to be effective,” said Dunderdale.
The company evaluated SureCloud’s GDPR solutions and found they addressed their various needs. The software enabled TGI Fridays to store data in a single location and give multiple stakeholders access to the platform as needed from anywhere in their business, operationally and geographically.
“Using the platform, it is easy to grade the risks across suppliers without having to extract the data from multiple vendor-specific spreadsheets. This also helps with meeting the GDPR requirements, to ensure we appoint suppliers who have the correct security processes in place,” Dunderdale said.
The five applications TGI Fridays chose to deploy from the SureCloud GDPR Suite were:
- GDPR Program Tracker – to enable TGI Fridays to map all its disparate data and workflows using intelligent risk-based questions
- GDPR Management – to provide all mandatory GDPR business-as-usual processes
- Information Asset Management – to record and maintain the TGI Fridays’ entire data inventory
- Compliance Management for GDPR – to help TGI Fridays speed up their process of attaining compliance and on-going real-time risk remediation
- Incident Management for GDPR – to meet the GDPR requirement to log, track and notify the ICO of any data breaches, should an incident arise
Monitoring Subject Access Requests (SAR)
Now, TGI Fridays can build and maintain a data repository of information assets, which provides instant reporting of data subjects and the data types held, the systems where they’re held and the underlying IT infrastructure supporting them. It is using Data Privacy Impact Assessments to identify and minimize the privacy risks of new projects, systems or policies.
A further benefit of the SureCloud Platform is that it provides a single source of truth that brings all relevant data together. Its features help accelerate information gathering across multiple departments (such as HR, finance, payroll, and more). SureCloud has had a transformational impact on oversight of data, analysis, and reporting: “Now that GDPR is in effect, we are also reviewing its data retention policies, to ensure that data which is no longer relevant can be destroyed. This helps to streamline data and risk management, reducing our exposure to the risk of a breach,” said Dunderdale.
By running both Penetration Testing and Vulnerability Management in the platform along with SureCloud’s GRC Applications, TGI Fridays are able to centrally manage all their risks in one place, providing them with a single source of the truth.
“Everything is now brought together in a single location, and the solution makes it easy to grade and assess risk across our suppliers without having to extract the data from multiple different spreadsheets. That is a key benefit, and it’s also important for GDPR compliance as it helps to ensure that we are working with suppliers who have the correct security processes in place.”
Jeremy Dunderdale, Head of Business Solutions at TGI Fridays UK