Kotch worked in tandem with the company’s European privacy team to develop a program and assemble an internal privacy council and a team of privacy champions comprised of senior management from every division of the company. Kotch spent nearly two years researching and executing his program, building awareness with senior executives, conducting face-to-face interviews, hosting trainings and rolling out privacy policies globally.
“Having privacy champions and senior executives responsible for privacy works well for us,” said Kotch. “The President of Diamond Resorts is the privacy council sponsor, and it’s fantastic that he’s so supportive. It makes privacy so much easier to manage when it’s coming from the top.”
With the executive team fully invested in ramping up privacy initiatives and GDPR compliance efforts, Kotch began to evaluate OneTrust’s Automated Assessment module for privacy impact assessments as a way to manage vendor risk.
“We have relationships with all sorts of different vendors for different programs, and they all have access to different data, so one of the newer policies that we rolled out is a vendor security policy,” Kotch said.
Automating questionnaires and reports with OneTrust
Diamond Resorts has since successfully leveraged OneTrust’s automation and self-service portal to create internal procurement processes for vendors, making it easy for vendor prospects to answer questions within the OneTrust platform prior to engagement. OneTrust has also automated the company’s security and privacy questionnaires to current vendors, allowing vendors to submit responses digitally, which are then seamlessly transferred to the legal team for review.
“Sending vendor questionnaires through OneTrust is much easier than trying to do it on paper, plus we get a better response rate,” said Kotch.
With a privacy team of just two people, it’s imperative Kotch leverages a tool to take away the painstaking manual work on GDPR compliance. “OneTrust’s automated assessments are easier for vendors to access, and are customizable to ensure a higher percentage of response rate,” he said. “OneTrust makes the vendor risk questionnaires easy to do. The dashboard tells me what is assigned, and I can see what’s outstanding as well as what’s being reviewed and approved.”
Leading up to GDPR, Diamond Resorts sent more than 300 data mapping assessments through the OneTrust Data Mapping module to locate assets and processing activities and to inventory where all personally identifiable information (PII) is stored and processed.
Kotch said that creating Article 30 reports for regulators is another benefit of OneTrust’s technology and automation.
Continually formalizing and training leadership on privacy best practices
Even with the privacy program up and running and with GDPR in effect, Kotch is just getting started. He has biannual updates to executives on the Data Privacy and Security Council planned where he and other privacy champions can review standard operating procedures and learn best practices across departments.
“Our teams have their policies, but now is the time to sit down and go over them,” Kotch said. “Line employees and managers aren’t thinking about privacy every day, so they may not always think about these policies we put in place. That’s why we will continue to train the trainers and formalize the process across the company.”
By simplifying vendor risk management and data mapping, Diamond Resorts took an important first step toward formalizing their privacy processes, and plans to continue refining those activities with OneTrust’s help, especially as GDPR regulations come into clearer focus.