view share price

Information security

Protecting Customer, Employee and Supplier data

Information and systems are amongst Whitbread’s most valuable assets.  
Protecting these is critical to sustainability and competitiveness of our business as well as keeping the trust of our customers, employees, suppliers and investors.  

For these reasons, Information Security and Data Privacy are identified as principal risks for the business in our annual report

We take the responsibility of being entrusted with our customers and employees personal data very seriously and we’re committed to protecting all data with the highest levels of security. Our multi-year Information Security programme continues to review and enhance across our security capabilities where required. 

We are committed to protecting all information in accordance with; its value, its sensitivity, our customer and employee expectations, our business goals, and regulatory requirements.


Accountability for Information Security sits with the Chief Information Security Officer who reports directly to the Group Operations Director on a day to day basis.

In addition, the Board and Executive Directors receive detailed updates on our risk management and mitigation activities through the following committees:  

  • Group Executive Committee 
  • Group Audit Committee 
  • Compliance and Risk Committees 

Risk Management 

To deliver and demonstrate our commitment, we have developed policies that set out our ambition and have implemented controls to prevent, detect and mitigate risks. We have adopted a risk-based approach which is used in prioritising activities on those areas that are highest risk to the business.  

We have also established reporting processes to raise visibility with leadership teams and continuously invite challenge through independent reviews and audits. 

Our objectives are to preserve:
  • Confidentiality:
    We take the highest level of care in protecting information in line with its classification/risk. 
  • Integrity:
    We have robust systems and processes to ensure that information is complete and accurate. 
  • Availability:
    We ensure systems and Information are available at the time when they are needed.

Below are several examples of some of our activities; 

Systems Security 

In order to ensure our technology systems are protected against changing security vulnerabilities, we regularly test and install ‘patches’. We also perform compliance monitoring to ensure that these patches are activated in a timely manner. 

In addition, we continue to strengthen our network to help us protect against unauthorised traffic and malicious content entering our environment. We have deployed tools to protect us against malware infections and have independent penetration testing performed to actively identify vulnerabilities. 

We have a robust process in place for identifying and escalating security incidents, including established Security Incident and Event Monitoring capabilities. We have a 24×7 Security Operations Centre in place to assess and investigate abnormal activities.  

Employee Awareness Training 

We make sure that our employees are trained in security awareness so that they understand the importance of confidentiality, integrity and availability and their responsibility to preserve it. Ongoing training is also undertaken to help further protect our customer, employee and business information. 

Employee information security awareness training is mandatory. We make sure that training is relevant, role specific and tailored. We deliver regular refresher training for office-based teams to ensure it remains current in everyones’s minds. We also have annual refresher training for all employees. 

Advanced Technology security training is also made available to all Technology teams including privileged system users. 

We have a 24×7 Security Operations Centre and Protector Hotline which are available to employees should they wish to make a report of any suspicious activity or concerns. 

Supplier Assurance 

We expect our suppliers to take the same level of care as we do for the information shared with them, and as such we have a supplier assurance programme in place. We focus on those suppliers that pose the highest risk to Whitbread, employee and customer data. Those we identify as highest risk, we conduct a supplier review which may include questionnaires and site visits. 

Contacting Information Security 

If you require any further information on how we protect our data/systems, or you have a question for our Information Security Team, please contact them at:  

You should receive a response within two business days. 

Visit our brand sites