Data breaches are on the rise for all industries, including quick-service restaurants. Companies like Checker's/Rally's and Dunkin’ have all recently experienced high-profile breaches, many caused by flaws in POS systems.
Data breaches are a serious danger for both restaurants and consumers, as they damage brand trust. Law-makers have taken notice, implementing several new laws and regulations—like General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) – to hold companies accountable for negligence concerning how consumer data is acquired, used and protected.
As the amount of consumer data quick-serves collect for loyalty programs and general marketing initiatives increases, companies must hold themselves to higher standards or be left behind the pack, with consumers opting for restaurant brands that place more value on data protection than those that fail to keep their information secure.
The marriage of privacy and security
Two sides of the same coin—privacy and security—work hand-in-hand to protect customer data. If a company uses data irresponsibly, it will fail to measure up to privacy standards imposed by legislation and consumer demand. Likewise, if a company doesn't build its privacy strategy on the foundation of a comprehensive security program, it will fall short of expectations.
The consumer data conundrum
It's smart for quick-serves to collect only the customer data you need to better serve them with custom content and personalized service, potentially gaining an edge over competitors. With that in mind, with more data comes greater responsibility. The more data you collect, the more information you have to protect, and the more you have to lose if you fail to do so.
Restaurateurs must walk a fine line between collecting data that is useful and deleting data that is no longer needed. It's also imperative to ensure any data collected is done so in a way that is both in compliance, stored and secured according to industry best practices.
Getting ahead of privacy and security
Restaurants aiming for an ethical approach to data privacy that helps to build and keep consumer trust must prioritize privacy. And if doing good isn't motivation enough, quick-service restaurants should consider how a proactive approach to privacy can make them stand out from the competition, as well as how a reactive approach to privacy could destroy a brand's reputation and cost the company millions.
Assess and adjust
Quick-serves that collect data should conduct Privacy Impact Assessments (PIA) to assess risk, ensure compliance, and determine the best course of action to mitigate risk. PIAs can help restaurants to ascertain how vulnerable their customers' data is and what impact a breach could have. A best practice among privacy experts, PIAs have now been introduced into a legal framework thanks to GDPR.
Bake it in
If your organization treats privacy like a box that must be checked off to ensure compliance, you're doing it wrong. Instead, aim for privacy by design (or default). Privacy should be baked-in to the very culture of the company. Privacy shouldn't be an afterthought, but an aforethought. Consider privacy when you make any decision regarding product innovations, marketing or strategic partnerships.
Privacy by design requires regular discussions, ongoing training and looking to your privacy and security leaders for constant guidance. A culture of privacy ensures that every member of the organization takes ownership of protecting customer data, whether that means knowing what a phishing email looks like or understanding the importance of not opening documents from unknown senders on a work device.
Partners in Crime
As a quick-service brand, you may be doing everything in your power to protect the data of your customers, but if you don't keep good company, all that hard work goes right down the drain. Often, it's third-party partners like your vendors, suppliers, and consultants that pose the most significant risks. To combat this proactively, make it your business to know where your customers' data is stored and which partners have access to their information. Do some due diligence before taking on new partners. Ask whether they have a chief information security officer, and what data protection policies and practices they have in place.
An evolution of the data protection landscape and increased oversight into business practices means restaurants need to implement a comprehensive and proactive privacy and security plan that includes performing Privacy Impact Assessments, designing the organization with privacy in mind, and carefully selecting partners, while limiting their access to sensitive customer data.
Jill Knesek is the Chief Security Officer (CSO) for Cheetah Digital, where she is responsible for providing enterprise-wide leadership in developing, planning, coordinating, administering, managing, staffing, and supervising all aspects of information security. She has more than 25 years of experience in cybersecurity, working in both internal and client-facing roles. She served as a Special Agent for the FBI. Prior to joining Cheetah Digital, Jill worked as the CISO for Mattel and BT Global Services.