Global Chocolatier Adopts Privacy Technology to Prevent Data Exposure Download Data privacy has become a strategic priority as companies adapt to comply with rapidly proliferating data privacy laws. Recent years have seen the adoption of the European Union’s General Data Protection Regulation (GDPR), the more recent California Consumer Protection Act (CCPA), and similar regulations. These safeguards require companies to document the types of protected personal data used in their businesses and demonstrate the efficacy of those processes. Organisations that fail to comply not only face the prospect of fines, but also the potential loss of business as customers become increasingly interested in controlling how their personal information is used. In this environment, it is important that companies develop a keen understanding of not only the data they are processing in-house, but also any processing activities conducted on their behalf through third parties. A global chocolatier conducted a companywide review of its privacy programme and data processing activities to gain a clearer perspective of what data it was processing and the overall data processing activities within the wider organisation. The company asked Protiviti to provide guidance through the process and to help select and implement a platform to maintain and manage privacy going forward. Download Topics Cybersecurity and Privacy Data, Analytics and Business Intelligence Laying a Strong Foundation Before personal data could be managed, the company needed to understand what data was available, where it resided, who had access to it, and how it was being used. Protiviti helped create a map of operations, providing a detailed record of processing activities (ROPA) required by Article 30 of the GDPR, which became the foundation of the privacy programme. Organisations that fail to comply with regulations such as the GDPR and CCPA not only face the prospect of fines, but also the potential loss of business as customers become increasingly interested in controlling how their personal information is used. Data mapping produced an executive-level view of personal data processing activities, allowing the company to address specific compliance obligations such as data management requirements under the CCPA. The solution required a replicable data mapping process to support the ongoing maintenance of records for data governance. Protiviti used an assessment and mapping tool developed by OneTrust, a Protiviti compliance system partner, that integrated well with the organisation’s legacy data systems. Protiviti and OneTrust worked together to customise the tools to fit the company’s needs. In particular, the partners focused on developing an asset assessment inventory, record of processing inventory, and push-button ROPA. Before personal data could be managed, the company needed to understand what data was available, where it resided, who had access to it, and how it was being used. Data mapping produced an executive-level view of personal data processing activities, allowing the company to address specific compliance obligations such as data management requirements under the CCPA. Sweet Success The project gave the chocolatier greater understanding, transparency and control over its privacy programme, as well as the unanticipated benefit of fully compliant data privacy support when the COVID-19 pandemic forced the organisation into an extended remote-work footing. Utilising OneTrust, Protiviti’s team of skilled resources enabled the company to efficiently collect information to meet its goal of deploying a flexible and scalable privacy management tool that would work with its existing systems. Protiviti and OneTrust applied their deep functional expertise in IT security and data privacy and worked together to customise a solution. Finally, while effective compliance was a key desired outcome, it was only one result of the company’s broader goal, which was to promote a corporate culture of providing customers with strong privacy and information governance.