THE CHALLENGE

A large retail group that owns several widely known brands faced concerns about its ability to demonstrate compliance with the General Data Protection Regulation (GDPR) and its preparedness for the (then) upcoming California Consumer Privacy Act (CCPA).

While the organization had started to build a privacy program, it lacked direction and momentum. The fractured approach made it challenging for the Company to effectively determine what personal data was being processed, whether proper consent was obtained, how frequently data was transferred to vendors, and the extent to which privacy obligations were understood and complied with across the Company.

Ultimately, the Company’s leadership needed to assure its Board of Directors that the organization was on the right path to implementing and maintaining a mature and effective governance program.

THE DPSA SOLUTION

To establish a baseline of the Company’s privacy posture, DPSA conducted a Global Privacy Risk Assessment tailored to the client’s industry, online and retail operations, and geographic markets. Business units and stakeholders from the United States, Canada, and Europe participated in the process, and DPSA provided the Company with a report identifying gaps across both the GDPR and CCPA, as well as PIPEDA, Canada’s privacy regulation. Critically, each gap was linked to an actionable remediation recommendation, sorted by priority and cross-referenced to the section of the regulation.

Addressing an area of risk that was one of leadership’s top concerns, DPSA recommended a Data Inventory & Mapping of Processing Activities involving personal information, in order to advance the Company’s ability to answer critical questions around processing, consent, data transfer, and third-party risk.

Because the Company wanted to allocate resources where they were most needed, DPSA quickly identified the Company’s highest risk Processing Activities and focused on those initially. Working with Company stakeholders, we completed the first phase of the Data Mapping, documenting more than 30 key Data Processing Activities.

THE OUTCOME

The actionable remediation recommendations from DPSA’s multi-regulation risk assessment brought a systematic approach to the retail group’s privacy program. After the first phase of a comprehensive Data Inventory & Mapping documentation effort, the Company was able to readily determine what personal data its different units were actively collecting, and with what consent. The Company also gained visibility into how this data was being processed, whether it was shared with external organizations, and whether or not appropriate contracts were in place.

Unfortunately, shortly after we completed this engagement phase, the Company suffered a significant data breach.

DPSA was retained to provide guidance to leadership and to coordinate with federal law enforcement and the client’s external breach response team. The detailed dataflow information, which DPSA previously captured in the Data Mapping, allowed the response team to more quickly assess the overall impact of the breach and led to an increased speed in breach containment and eradication, as well as a decrease in recovery response times.

The Company currently boasts a mature privacy program, supported by DPSA’s Privacy Expert on Demand services and in full collaboration with the company’s Information Security team.  The partnership has further strengthened the Company’s privacy and security posture.