How we managed to operationalise GDPR compliance through smart information management.
Data Trust Associates has a strong background in both the financial and insurance sectors. One of our first customers is a leader in the insurance sector and is always looking at ways to innovate and disrupt across its many different organisational units worldwide. This particular case study focuses on the use case of implementing a privacy management solution across different countries within the EU and in the Far East too. This was indicated as a necessary component to standardise some key aspects of GDPR:
- Design, documentation, and maintenance of the Data Register
- Streamline the management of Data Protection Impact Assessments (DPIAs)
- Management of Data Subject Access Requests (DSARs)
- Manage ongoing improvements based on Data Protection Audit findings
After the routine requirements gathering and market investigations, the selection of OneTrust as a privacy solution
to meet the needs was straightforward.
However, it would soon become clear that the tool was not going to answer some core issues that needed to be addressed: How to be organised so that stakeholders within data protection knew their roles and responsibilities?
And a more fundamental realisation – data privacy needs data management and vice versa, and how to integrate this into the overall solution?
At first, the aim was to help the local Data Protection teams and their GDPR business stakeholders and facilitate the proper management of the information assets. By mapping the existing business processes, it became clear that, due to the volume of information and the increasing complexity of the business activities, the company was facing profound challenges, mainly due to a lack of maturity in data management and information governance.
The challenges that we encountered throughout the projectwere:
- Lack of clear ownership of data, resulting in conflicts of interest between stakeholders that lead to adverse outcomes for the organisation
- The highly decentralised nature of the organisation does not rhyme well with the transversal nature of data: the operating model was a hindrance to the strategic objectives
- Different Countries of Operations move at differed paces, with different priorities. In such cases, Data Trust Associates applies a multidisciplinary approach aimed at combining a sense of short-term pragmatism, with the need for a long-term vision of data from a holistic perspective. The latter allows the customer to develop a data strategy that aligns with all business departments and brings enterprise-wide value.
At the beginning of the assignment, the focus was on helping the local Data Protection teams and their GDPR business stakeholders to enable proper management of the information assets. By mapping the existing business processes, it became clear that the volume of information and the increasing complexity of the business activities led to profound challenges due to a lack of maturity in data management and information governance.
Our team of experts were fortunate enough to raise awareness at the executive level. They could impart that the problems at hand require the organisation to think in terms of business capabilities and leverage these to adhere to their strategic direction. Developing a mindset that refrains from looking at data from a purely IT-perspective is the best way to ensure the agility. To note, agility is important to navigate through an ever-increasing level of regulatory complexity and stay relevant in the competitive and innovative financial services market. The result of these discussions led to the following achievements:
- Strong executive commitment to develop a data strategy that aligns with and reflects the multi-year business strategy and allows for diversification of the product portfolio
- The development and implementation of a Target Operating Model for the data privacy and -protection office, allowing it to leverage its mandate across the group increasingly
- The change of attitude towards compliance: from being perceived as a hindrance for business to a value-creating activity