Challenge
A multinational pharmaceutical company that operates in a decentralized manner and expands through acquisitions, often bringing in smaller, less data-mature organizations, needed a unified global privacy program to manage diverse data protection practices across the organization.
Key issues included inconsistent GDPR compliance and disparate data protection policies across EU offices.
Solution
DPS Privacy crafted a global privacy framework tailored to the Company’s acquisitive growth strategy and regional operations, and despite its decentralized structure, was able to foster a culture of proactive privacy management and enhancing global data security:
-
Unified Global Privacy Framework: Predicated on a unified lexicon of common terms for common business practices and normalized business processes for common business activities, the new framework is globally-focused and can readily absorb new offices – and new regulations – across regions.
-
Comprehensive Data Inventory & Mapping: We led a detailed Data Inventory & Mapping effort to better identify internal data transfers and also external data transfer to vendors, adding flags for each time data left the organization and whether it left the EU to ensure conformity with GDPR’s data transfer requirements.
-
Integrated Business and Technology Collaboration: By pairing Business Owners with Technology Owners, we streamlined workflows and the number of steps needed to complete the Data Inventory, conduct D/PIAs, and respond to DSARs. This collaboration minimized the burden on Company teams, reduced the back-and-forth need for clarifications, and accelerated project timelines.
Results
-
Global Privacy Steering Committee: The new framework created a cross-functional, pan-regional Steering Committee for oversight of in-flight initiatives, to streamline approvals for program needs, and to act as an escalation point, providing critically important support for the Privacy Team in establishing privacy as a fundamental aspect of Company culture.
-
Operationalized Privacy Initiatives: Standardized processes and normalized naming conventions, policies, and awareness programs created the much-needed harmony between operational terms, leading to more consistent practices across offices that still continue to operate in a regionalized manner – but there is now a collaborative sense of partnership-in-privacy.
-
Streamlined Data Subject Request (DSAR) Processes: The enhanced Data Inventory flagged processes requiring additional identity-verification steps to complete Data Subject Requests, and streamlined those that could be verified with existing data, reducing processing time and improving DSAR response accuracy.
-
Data Protection / Privacy Impact Assessment (D/PIA) Program: The redesigned workflow conducts Threshold Assessments to more quickly route higher-risk activities for thorough assessment, ensuring proactive privacy risk management increased Privacy by Design practices.