An international pharmaceutical company was struggling to build a global privacy program able to adapt to its strategy of growth through acquisition, often of smaller and/or less data-sophisticated organizations. With each new acquisition bringing a discrete line of business into the organization, the Company was functioning in a decentralized manner and the majority of decision-making occurred at the local level.
The firm’s EU presence made the GDPR a pressing concern, and its offices across the EU all used different, location-specific data protection policies, almost all of which were lacking core GDPR requirements. Another key challenge was the inconsistency in operational execution and terminology, diminishing the effectiveness of universal policies and data protection mechanisms.
THE DPSA SOLUTION
DPSA designed a global privacy framework that could readily absorb the pharmaceutical company’s new offices—and new regulations. As the heart of the framework, DPSA built a unified lexicon that stipulates common terms for common business practices, and normalizes business processes for common business activities, across offices and regions.
DPSA also embarked on a comprehensive Data Inventory & Mapping initiative, specifically focused on meeting regional and GDPR Record of Processing Activities compliance requirements. As a result of this initiative, the Company is able to better identify internal data transfers as well as external data transfer to vendors, flagging each time data leaves the organization and indicating whether the data will go outside the EU.
DPSA further enhanced the Data Mapping of Processing Activities to flag processes where Data Subject Request identity verification would require additional steps versus processes where verification could readily be made with data the Company already processed. The Company now also has the capacity to identify higher-risk activities that should be routed to its Data Protection Impact Assessment (DPIA) program, which DPSA also designed.
To achieve these improvements, DPSA paired “Business Owners” with “Technology Owners,” which streamlined the entire documentation workflow, from building the Data Inventory to responding to Data Subject Requests through to completing DPIAs.
The new global privacy framework allowed the Company to operationalize the Data Inventory & Mapping and DPIA initiatives, creating much-needed harmony between operational terms and leading to more consistent practices across offices. While those offices continue to operate in a regionalized manner, there is now a collaborative sense of partnership on privacy concerns. Teaming the Business and Technology Owners allowed each to provide critically necessary information from their area of expertise without placing an undue burden on either team. As a result, information collection is now faster and more accurate, requiring less clarification and clean-up.
Today, the Data Inventory & Mapping is the Company’s “single source of truth” for its personal data collection operations. This centralized approach helps the Company document processing activities, data transfers, and key components of third-party risk, including flags for active Data Protection Agreements. The end result? The Company can easily deploy and maintain effective data protection mechanisms despite its decentralized structure, which has strengthened the company’s global Privacy and Information Security programs.