Data privacy strategy success for global learning provider
With offices in the UK and Europe, this leading digital learning provider offers bespoke learning solutions to large corporates and some of the best known brands. Having recently made several acquisitions, the company wanted a review of their existing data privacy arrangements. The parent company had a data privacy programme in place to ensure compliance with GDPR, but wanted to bring the new acquisitions in alignment with this.
As the business had recently extended the company footprint into the EU, they needed to review their existing data privacy polices and procedures and understand the necessary steps to become compliant in multiple territories.
Metataxis was approached to complete a review of the current policies of the new acquisitions and provide advice on requirements for operating across borders. We also needed to take into consideration the legislative requirements of all the companies based across Europe where there are local variations on GDPR and data privacy requirements.
The requirements covered:
- An up-to-date review of personal data processing activities
- Identification of data privacy risks across the whole Group
- Identification of baseline requirements vs best practice requirements for data privacy operational measures
- Independent and impartial assessment of DPO services provided by a third party
The Metataxis approach
To meet the client needs, Metataxis undertook the following activities:
Data processing gap analysis
We reviewed what personal data was being processed by acquisitions and ensured this was added to the Sponge Record of Data Processing Activities (ROPA), and ensured responsibility for the data was clearly assigned.
We also compared the acquisitions’ current privacy policies, controls and procedures and ensured these were aligned to the policies of the parent company. Part of this process also included ensuring that the processes were scalable and proportionate to the smaller child companies.
Risk assessment and action plan
We considered the data privacy risks and developed an action plan for Sponge to determine how to manage these. Part of this piece of work included assessing risks associated with governance and transfer of data across borders. As part of this we also assessed the need for a DPO service and confirmed current arrangements for Sponge.
Data privacy maturity
To provide a model for describing baseline and best practice we completed an assessment of Sponge’s data privacy maturity. This enabled the company to identify priority areas for development and complemented the detail provided in the Risk action plan.
Metataxis was able to provide our client with a clear action plan to bring the data privacy arrangements of all new acquisitions into alignment. We also provided clear guidance on how to manage risks when working with personal data across borders and assurance of DPO services provided within EU territories.
Furthermore, we were able to present the leadership team with a very clear picture of how well they were managing their personal data and what steps were needed to manage risks effectively moving forward. We also received fabulous feedback from the CEO: “Metataxis made a dry, confusing subject light and very easy to follow.”
Learn more about our data protection services.
Read more of our case studies here.