Embodying hospitality in every sense of the word, Diamond Resorts is a worldwide leader in timeshares, vacation rentals, travel discounts, entertainment and more.

Focused on quality lodging and customer service, Diamond Resorts’ value add is their flexibility. Their members can revisit their favorite resorts, book a cruise to explore new countries, or attend a once-in-a-lifetime event. With access to a world of entertainment and activities, a Diamond membership ensures that people are always looking forward to vacation.

Building a GDPR-ready program with privacy by design

As the hospitality industry becomes increasingly vulnerable to internal and external data protection risks, hospitality organizations across the globe are looking to automate solutions to support their privacy initiatives.

When Gabriel Kotch, Assistant General Counsel-Privacy and Data Protection, first joined Diamond Resorts in August 2016, he was on a mission to implement a robust privacy program, and with the GDPR looming, he had no time to waste.

In addition to protecting employee and vendor data, Diamond Resorts also prioritized establishing and preserving trust with customers through exemplary privacy practices. While the European business had a good understanding of the importance of privacy, the U.S. division of the company had yet to build Privacy by Design into their operations, which made building a privacy program from the ground up (and getting the whole company involved with maintaining compliance) a challenge.

Kotch worked in tandem with the company’s European privacy team to develop a program and assemble an internal privacy council and a team of privacy champions comprised of senior management from every division of the company. Kotch spent nearly two years researching and executing his program, building awareness with senior executives, conducting face-to-face interviews, hosting trainings and rolling out privacy policies globally.

“Having privacy champions and senior executives responsible for privacy works well for us,” said Kotch. “The President of Diamond Resorts is the privacy council sponsor, and it’s fantastic that he’s so supportive. It makes privacy so much easier to manage when it’s coming from the top.”

With the executive team fully invested in ramping up privacy initiatives and GDPR compliance efforts, Kotch began to evaluate OneTrust’s Automated Assessment module for privacy impact assessments as a way to manage vendor risk.

“We have relationships with all sorts of different vendors for different programs, and they all have access to different data, so one of the newer policies that we rolled out is a vendor security policy,” Kotch said.

Automating questionnaires and reports with OneTrust

Diamond Resorts has since successfully leveraged OneTrust’s automation and self-service portal to create internal procurement processes for vendors, making it easy for vendor prospects to answer questions within the OneTrust platform prior to engagement. OneTrust has also automated the company’s security and privacy questionnaires to current vendors, allowing vendors to submit responses digitally, which are then seamlessly transferred to the legal team for review.

“Sending vendor questionnaires through OneTrust is much easier than trying to do it on paper, plus we get a better response rate,” said Kotch.

With a privacy team of just two people, it’s imperative Kotch leverages a tool to take away the painstaking manual work on GDPR compliance. “OneTrust’s automated assessments are easier for vendors to access, and are customizable to ensure a higher percentage of response rate,” he said. “OneTrust makes the vendor risk questionnaires easy to do. The dashboard tells me what is assigned, and I can see what’s outstanding as well as what’s being reviewed and approved.”

Leading up to GDPR, Diamond Resorts sent more than 300 data mapping assessments through the OneTrust Data Mapping module to locate assets and processing activities and to inventory where all personally identifiable information (PII) is stored and processed.

Kotch said that creating Article 30 reports for regulators is another benefit of OneTrust’s technology and automation.

Continually formalizing and training leadership on privacy best practices

Even with the privacy program up and running and with GDPR in effect, Kotch is just getting started. He has biannual updates to executives on the Data Privacy and Security Council planned where he and other privacy champions can review standard operating procedures and learn best practices across departments.

“Our teams have their policies, but now is the time to sit down and go over them,” Kotch said. “Line employees and managers aren’t thinking about privacy every day, so they may not always think about these policies we put in place. That’s why we will continue to train the trainers and formalize the process across the company.”

By simplifying vendor risk management and data mapping, Diamond Resorts took an important first step toward formalizing their privacy processes, and plans to continue refining those activities with OneTrust’s help, especially as GDPR regulations come into clearer focus.