Case Study: Multinational Manufacturer

Background

Our client, a multinational manufacturer, was in the process of acquiring a small local company.  Metataxis had worked with the client before to help them establish a GDPR management programme so when they needed to assess their new acquisition’s data protection maturity, they turned to us.

Requirements

Our client asked us to assess the subsidiary company’s compliance with GDPR and data protection requirements. This needed to be done quickly and effectively in alignment with tight acquisition timelines. The client also required the subsidiary company to align their policies, procedures, and practices with the client’s own internal data protection compliance programme. This needed to be done with some sensitivity, as although this was an acquisition, both the parent client and subsidiary wanted to retain separate brands and cultures.

Approach

  • Benchmarks
  • We assessed the subsidiary’s personal data management against KPIs based on the parent Group policies.

  • Scalable solutions
  • We took the GDPR programme of the parent, a global company and scaled it to suit the business, compliance, and risk management needs of the smaller specialist business.

  • Gap analysis and action plan
  • Based on benchmark results we completed a gap analysis and an action plan.

  • Data process flows
  • We worked with the subsidiary to identify personal data holdings and data process flows.

  • Record of Processing Activities (ROPA) and Retention Schedule
  • We mapped personal data processes to the parent company ROPA and identified assets to be added to the Retention Schedule.

  • Guidance and tools
  • We created reusable and scalable assessment tools and provided guidance for the Group to use for measuring the compliance of future acquisitions.

Results

Our work provided our client with assurance they needed that the subsidiary company they were in the process of acquiring did not carry unmanageable liabilities. Once acquired, we were able to find a way to enable the subsidiary to be brought into alignment with the large multinational company that was also compatible with the requirements of their business.

During the benchmarking phase we provided templates and spent time sharing our knowledge with practitioners from our client’s company. This allowed them to learn how manage bring future acquisitions in line with their GDPR programme, giving them the self-sufficiency to carry our methods forward independently. This was important to our client as they make acquisitions regularly and really appreciated how we integrated data protection into their overall approach to make this easier for them to do.