Trusted Partnerships and Collaborative Efforts Drive Success in Data Privacy Initiatives

Establishing a trusted, reliable data privacy programme and its associated policies and governance can prove challenging for companies looking to build their global brands. In this case, the client had just invested in several OneTrust modules and was beginning to develop an internal privacy and governance structure.

Overcoming roadblocks early in the journey

The engagement began with a programme assessment, followed closely by foundational data mapping to understand the company’s tech landscape and personal data usage. Our partnership with OneTrust enabled us to understand the newly licensed modules the company was implementing as the heart of its privacy and governance structure for its “brand of brands” network.

Using the National Institute of Standards and Technology (NIST) privacy framework as our guide, we conducted website analysis, stakeholder interviews and policy and documentation reviews, while conducting gap analyses. The project team focused on high-priority, shorter-term recommendations, assigned priority ratings, and pointed out workstreams to be addressed throughout the implementation process.

A policy charter was drafted, from concept and inception, which included roles and responsibilities of the organisational stakeholders, centralising policies, and a vision for the programme overall.

Fortunately, the client had already begun to establish a privacy steering committee, including representation from IT, development, marketing, and legal. Yet, our initial assessment identified that challenges this committee encountered early in the process were creating roadblocks to establishing solid policies and procedures, including:

• The committee struggled to activate a privacy charter through a responsibility assignment matrix (RACI) determination, which complicated how to best lead the team to adopt and become accountable for privacy throughout the enterprise. As an independent party, Protiviti was able to serve as an impartial leader, helping ease internal political stances, and initial "not my problem" mentalities, helping move the committee’s work forward.
• It was proving challenging to demonstrate the impact of privacy compliance both externally (policies, DSAR, cookie compliance) and internally, which hindered the business’s understanding of the processes needed to implement the use, access, deletion, do not sell, and record-keeping aspects of personally identifiable information (PII) metadata such as data mapping and incident response. 
• Due to recent merger and acquisition activity, the steering committee struggled to understand which brands they were managing, and even more challenging, who to contact in case something needed to be updated or influenced. Understanding the overarching inclusions of their brand network.

Maintaining focus

The first several phases of work focused on compliance roadmap activities as the client deployed OneTrust consent management. The roadmap provided step-by-step action items, responsible parties, and in-house and outsourced costing models with timelines to assist their prioritissation. As with many clients we work with, the temptation here was to be distracted by new solutions. The project team worked diligently to ensure the committee and the work being done to implement a comprehensive policy remained focused on key areas and initiatives. Ultimately, this strengthened the relationship between the client and Protiviti, as they appreciated our keeping their focus on the big picture objectives.

The client found the “house model,” featuring click-throughs to the roadmap, we built for them to be especially helpful in maintaining that focus, throughout the project and beyond. The house’s foundation was the data protection impact of both a privacy impact assessment (PIA) and data privacy impact assessment (DPIA), while the “roof” – or overarching considerations -- included the company’s business operations and available technological solutions.  The “rooms” within the house, important factors to consider as the client built its data privacy programme, included scope and requirements management, supporting technologies, communication, training and awareness and third-party management.

The RACI matrix mentioned above was combined with the house model to complete the multiple-year roadmap that eventually defined the processes, policies and controls needed to mitigate risk and meet regulatory requirements.

Privacy rights and consent management

Protecting consumer data was a critical piece of this project, as we worked to establish a comprehensive privacy rights and consent management programme for the client. This included documentation and management of users’ consent choices for collecting and using personal information. To accomplish this, we developed:

• Website scanning and cookie management
• Website privacy notices
• Data subject rights access requests which reviewed requests by consumers to access the personal data information the client was using and ensuring responses to those requests remain compliant with applicable global laws and regulations.
• Consumer data platform integration to automate access, deletion and DNS
• GDPR, CCPA and CPRA compliance reviews
• Global compliance refresh

Additionally, we developed data inventory, data mapping services, data flow mapping and classification to perform data discovery and classification on high-risk data sources. Data retention and destruction was the final piece, and we established a data and records retention schedule and automated schedule deployment. 

Mission accomplished

This project was particularly rewarding to both the client and Protiviti, as we partnered to deliver:

• A revised, multi-lingual privacy policy.
• Enhanced website privacy rights processes incorporated into a universal, globally scalable webform intake with 10+ custom workflows and an encrypted portal.
• Automation support for access, deletion and DNS requests via integrations with the client’s primary CDP application.
• Cookie banners deployed across more than 50 domains, refined to two standard categories (down from five), while leveraging OneTrust autoblocking for baseline compliance.
• State and global regulatory refresh exercises.

But perhaps the most rewarding aspect of this implementation was the trusted relationship we established with the client. Transparency and open communication throughout the project allowed us to develop a comprehensive partnership that gave the client’s programme value above and beyond the parameters of the work performed.

Impact by the Numbers: