Accelerating adoption with faster forms
Apperger spent the first year rebuilding Kärcher’s record of data processing activities using two OneTrust modules: PIA and DPIA Automation and Data Mapping Automation. These modules work together to integrate assessment templates into existing systems and provide a real-time, comprehensive view into the organization’s data respectively.
The first batch of PIA and DPIA forms, however, revealed a missing piece in the plan. “We asked the correct questions, but the answers from the process owners were not really good because they didn’t have the depth of understanding about GDPR,” says Apperger.
With data processing activities carried out across the entire company, from sales and marketing to human resources, the forms had to address a broad audience.
“We made them shorter,” he says. “We only included the basics, about 20 questions. And every email we send with the form also includes a short overview of how OneTrust works and what can be done with the tool.”
Once the answers are submitted and reviewed, Apperger then meets with the process owner for further discussion before giving final approval. The form is sent to process owners periodically for review of processing activities.
Investing in internal documentation
In addition to simplifying forms, Apperger was looking for ways to communicate the importance of data protection and data security. He wanted to raise awareness of the GDPR and data protection laws. He also wanted to make the information more appealing to his colleagues. A better understanding leads to a smoother process.
"Every day we get a new question about the GDPR: Is this image personal data? Is this information personal data?" says Apperger. "It's all new language for the company. We have documented how we implement data protection at Kärcher in a data protection manual."
To further raise awareness of data protection in the company, Kärcher published a quarterly newsletter on general data protection topics, current information from the supervisory authorities, and data protection topics.
With this additional guidance, Apperger and his team were able to build a data protection strategy that scales beyond geographical borders. As new laws and regulations are enforced, and data transfer guidelines change, it’s critical for a company to stay in control of its data.
“This is a benefit of OneTrust — we can create custom fields and use them as a filter to see which processing activities we need to change when any given regulation changes,” says Apperger.
Expanding a global data protection process
Once his data protection strategy was in place, Apperger began personally introducing OneTrust to the other DPOs at Kärcher. He created another handbook to explain the different modules that help maintain data processing activities and ensure GDPR compliance.
From there, integrating the solution was easy. “Subsidiaries use many of the same processes we use, so most of the time, it’s just copy-paste,” he says. For example, Kärcher’s online recruitment process is the same for all countries. Since the process is already documented in OneTrust, it can be copied and immediately applied to any other location.
The challenge, however, was addressing the number of customer data inquiries received by subsidiaries. Kärcher’s subsidiaries operate as sales arms in their respective country, which makes them the primary channel for customers to request access, correction, or deletion of their data — a process easier said than done.
Every request requires verifying the legitimacy of the request, locating the data across disparate systems (including any third parties), determining any data exemptions, and documenting any changes.
“This required a mindset change and a solution,” he says. Apperger and his team utilized the OneTrust Privacy Rights Automation and Data Discovery modules to facilitate these customer data requests. By automatically scanning every data environment, down to the field and file level, he was able to streamline the end-to-end process — from intake to discovery to taking action — on a single platform.
Looking forward to greater data governance
Today, OneTrust is the backbone of Kärcher’s data protection strategy. “It gave us an overview of all the company’s processing activities and helped our colleagues understand the GDPR,” says Apperger.
“I think the process we have is really good at this time. In the future, we look to connect our processing activities to see how data is created and flows through the company. This is something we can do very easily in OneTrust.”