Do Not Sell My Personal Information
Skip links
Case study

How we managed to operationalise GDPR compliance through smart information management.

Discover more

Get Executive Management onboard for the Bigger picture.

Implement a successful Target Operating Model.

Shift in attitude towards GDPR as a value proposition.

Data Trust Associates has a strong background in both the financial and insurance sectors. One of our first customers is a leader in the insurance sector and is always looking at ways to innovate and disrupt across its many different organisational units worldwide.

This particular case study focuses on the use case of implementing a privacy management solution across different countries within the EU and in the Far East too. This was indicated as a necessary component to standardise some key aspects of GDPR:

Design, documentation, and maintenance of the Data Register

Streamline the management of Data Protection Impact Assessments (DPIAs)

Management of Data Subject Access Requests (DSARs)

Manage ongoing improvements based on Data Protection Audit findings

The Challenge

After the routine requirements gathering and market investigations, the selection of OneTrust as a privacy solution to meet the needs was straightforward.

However, it would soon become clear that the tool was not going to answer some core issues that needed to be addressed: How to be organised so that stakeholders within data protection knew their roles and responsibilities?

And a more fundamental realisation – data privacy needs data management and vice versa, and how to integrate this into the overall solution?

At first, the aim was to help the local Data Protection teams and their GDPR business stakeholders and facilitate the proper management of the information assets. By mapping the existing business processes, it became clear that, due to the volume of information and the increasing complexity of the business activities, the company was facing profound challenges, mainly due to a lack of maturity in data management and information governance.

The challenges that we encountered throughout the project were:

Lack of clear ownership of data, resulting in conflicts of interest between stakeholders that lead to adverse outcomes for the organisation

The highly decentralised nature of the organisation does not rhyme well with the transversal nature of data: the operating model was a hindrance to the strategic objectives

Different Countries of Operations move at differed paces, with different priorities. In such cases, Data Trust Associates applies a multidisciplinary approach aimed at combining a sense of short-term pragmatism, with the need for a long-term vision of data from a holistic perspective. The latter allows the customer to develop a data strategy that aligns with all business departments and brings enterprise-wide value.

Our Approach

At the beginning of the assignment, the focus was on helping the local Data Protection teams and their GDPR business stakeholders to enable proper management of the information assets. By mapping the existing business processes, it became clear that the volume of information and the increasing complexity of the business activities led to profound challenges due to a lack of maturity in data management and information governance.

The Result

Our team of experts were fortunate enough to raise awareness at the executive level. They could impart that the problems at hand require the organisation to think in terms of business capabilities and leverage these to adhere to their strategic direction. Developing a mindset that refrains from looking at data from a purely IT-perspective is the best way to ensure the agility. To note, agility is important to navigate through an ever-increasing level of regulatory complexity and stay relevant in the competitive and innovative financial services market. The result of these discussions led to the following achievements:

Strong executive commitment to develop a data strategy that aligns with and reflects the multi-year business strategy and allows for diversification of the product portfolio

The development and implementation of a Target Operating Model for the data privacy and -protection office, allowing it to leverage its mandate across the group increasingly

The change of attitude towards compliance: from being perceived as a hindrance for business to a value-creating activity