Delivering GDPR compliance and data protection confidence
Business drivers
Our client, a multinational manufacturer, was in the process of acquiring a small local company. Metataxis had worked with the client before to help them establish a GDPR management programme so when they needed to assess their new acquisition’s data protection maturity, they turned to us.
Key requirements
This multinational manufacturer asked us to assess the subsidiary company’s compliance with GDPR and data protection requirements. This needed to be done quickly and effectively in alignment with tight acquisition timelines. The business also required the subsidiary company to align their policies, procedures, and practices with their own internal data protection compliance programme. This needed to be done with some sensitivity, as although this was an acquisition, both the parent client and subsidiary wanted to retain separate brands and cultures.
The Metataxis approach
- Benchmarks
- We assessed the subsidiary’s personal data management against KPIs based on the parent group policies.
- Scalable solutions
- We took the GDPR programme of the parent organisation, a global company, and scaled it to suit the business, compliance, and risk management needs of the smaller specialist business.
- Gap analysis and action plan
Based on benchmark results we completed a gap analysis and an action plan.
- Data process flows
- We worked with the subsidiary to identify personal data holdings and data process flows.
- Record of Processing Activities (ROPA) and retention schedule
- We mapped personal data processes to the parent company ROPA and identified assets to be added to the Retention Schedule.
- Guidance and tools
- We created reusable and scalable assessment tools and provided guidance for the Group to use for measuring the compliance of future acquisitions.
Business benefits
Our work provided the manufacturer with the assurance they needed that the subsidiary company they were in the process of acquiring did not carry any unmanageable liabilities. Once acquired, we were able to find a way to enable the subsidiary to be brought into alignment with this large multinational company, that was also compatible with the requirements of their business.
During the benchmarking phase, Metataxis provided templates and spent time sharing our knowledge with practitioners working at the company. This allowed them to learn how to bring in future acquisitions in line with their own GDPR programme, giving them the self-sufficiency to carry our methods forward independently. This was important to our client as they make acquisitions regularly and really appreciated how we integrated data protection into their overall approach to make this easier for them to do.
Read more of our case studies here.