view share price

Information security

Protecting Customer, Employee and Supplier data

Information and systems are amongst Whitbread’s most valuable assets.  
 
Protecting these is critical to sustainability and competitiveness of our business as well as keeping the trust of our customers, employees, suppliers and investors.  

For these reasons, Information Security and Data Privacy are identified as principal risks for the business in our annual report

We take the responsibility of being entrusted with our customers and employees personal data very seriously and we’re committed to protecting all data with the highest levels of security. Our multi-year Information Security programme continues to review and enhance across our security capabilities where required. 

We are committed to protecting all information in accordance with; its value, its sensitivity, our customer and employee expectations, our business goals, and regulatory requirements.

Governance

Accountability for Information Security sits with the Chief Information Security Officer who reports directly to the Group Operations Director on a day to day basis.

In addition, the Board and Executive Directors receive detailed updates on our risk management and mitigation activities through the following committees:  

  • Group Executive Committee 
  • Group Audit Committee 
  • Compliance and Risk Committees 

Risk Management 

To deliver and demonstrate our commitment, we have developed policies that set out our ambition and have implemented controls to prevent, detect and mitigate risks. We have adopted a risk-based approach which is used in prioritising activities on those areas that are highest risk to the business.  

We have also established reporting processes to raise visibility with leadership teams and continuously invite challenge through independent reviews and audits. 

Our objectives are to preserve:
  • Confidentiality:
    We take the highest level of care in protecting information in line with its classification/risk. 
  • Integrity:
    We have robust systems and processes to ensure that information is complete and accurate. 
  • Availability:
    We ensure systems and Information are available at the time when they are needed.

Below are several examples of some of our activities; 

Compliance & Frameworks

In order to ensure we are following best practices, we subscribe to the ISF Framework at the heart of our Information Security Strategy, which also utilises components from ISO27001. 

Our Restaurants business is also certified to PCI-DSS, which is externally assessed annually.  

Each year we are externally assessed on our overall Information Security maturity against others in our industry area and have continued to improve in this scoring year on year. 

Business Continuity

To maintain the successful ongoing operation of our business, we conduct annual business impact assessments across our functions to identify the capabilities, needs and criticalities to our business.  We then implement response plans, controls and mitigations to help protect those essential processes.   

This includes testing the disaster recovery and resilience of our IT systems. 

Systems Security 

In order to ensure our technology systems are protected against changing security vulnerabilities, we regularly test and install ‘patches’. We also perform compliance monitoring to ensure that these patches are activated in a timely manner. 

In addition, we continue to strengthen our network to help us protect against unauthorised traffic and malicious content entering our environment. We have deployed tools to protect us against malware infections and have independent penetration testing performed to actively identify vulnerabilities. 

To continually assess our security exposure, we regularly conduct external security testing across our systems, with critical systems being tested annually. Systems and applications that are developed are scrutinised for security bugs and weaknesses throughout their development before being launched. 

We have a robust process in place for identifying and escalating security incidents, including established Security Incident and Event Monitoring capabilities. We have a 24×7 Security Operations Centre in place to assess and investigate abnormal activities.  

Keeping ahead of threats is vital, therefore we have a comprehensive threat intelligence capability to proactively alert us potential issues or attacks, allowing us to plan ahead for the eventualities and prevent them before they can cause harm. 

Employee Awareness Training 

We make sure that our employees are trained in security awareness so that they understand the importance of confidentiality, integrity and availability and their responsibility to preserve it. Ongoing training is also undertaken to help further protect our customer, employee and business information. 

Employee information security awareness training is mandatory. We make sure that training is relevant, role specific and tailored. We deliver regular refresher training for office-based teams to ensure it remains current in everyone’s minds. We also have annual refresher training for all employees. 

Advanced Technology security training is also made available to all Technology teams including privileged system users. 

We have a 24×7 Security Operations Centre and Protector Hotline which are available to employees should they wish to make a report of any suspicious activity or concerns. 

Supplier Assurance 

We expect our suppliers to take the same level of care as we do for the information shared with them, and as such we have a supplier assurance programme in place. We focus on those suppliers that pose the highest risk to Whitbread, employee and customer data. Those we identify as highest risk, we conduct a supplier review which may include questionnaires and site visits. 

Contacting Information Security 

If you require any further information on how we protect our data/systems, or you have a question for our Information Security Team, please contact them at: information.security@whitbread.com  

You should receive a response within two business days. 

Visit our brand sites