As a result of this shift, Bertelsmann has a more digital interrelationship with its customers, Schlender explained. “We have access to personal data, and we need to process it in a way that is compliant to all the data protection regulations, including the GDPR.”

This digital content, and subsequently digital user information, is a major driver of growth for Bertelsmann groups, so compliance with data protection regulations is key to maintain trust between the publishers and its users.

A unified privacy strategy for hundreds of subsidiaries subject to GDPR

Prior to GDPR, Bertelsmann’s Group Data Protection team shaped its privacy strategies for the German market. His team had difficulty creating value-added services to non-German subsidiaries because the regulations were varied from country to country.

“That of course changed with the GDPR,” said Schlender. The GDPR does not apply to a single locale or country, it impacts any organisation that processes the data of EU citizens. Now, Bertelsmann could offer enhanced services and model documentation to its subsidiaries subject to GDPR.

The Bertelsmann Corporate Center decided to provide centralised data protection services for its subsidiaries. However, since the GDPR interpretation is also dependent on local and national data authorities, this standard policy needed to be flexible to cater to the local needs.

“This is one of the main reasons we chose OneTrust,” said Schlender. “The tool gives the subsidiaries the ability to use centralised, pre-defined documentations and guidelines and easily adapt to their local needs. It’s not our strategy to impose a solution and pretend one size fits all for all subsidiaries. We leveraged OneTrust so they don’t have to start from scratch. We provide a starting place and the flexibility to adapt what we delivered to their local needs.”

An enterprise solution for a global privacy programme Bertelsmann chose OneTrust to deliver a centralised privacy management service that can be adapted
and modified locally. Schlender leverages OneTrust’s roles-based access to give granular access to specific subsidiary DPOs. This means one group’s DPO can manage assessments and documentation for their organisation, but not alter or access another division’s OneTrust instance.

Schlender encourages his subsidiary DPOs to use OneTrust to help with records of processing across business owners. “It’s not the task of the data protection officer to do all the documentation work,” he said. “It’s the task of the business owners.”

OneTrust helps the subsidiary DPOs send out records of processing documentation to various business groups, such as HR or IT. “The tool gives us and the local subsidiaries the opportunity to shift the burden of documentation to other colleagues within their subsidiaries.”

Schlender and the DPOs across the organisation recognise that GDPR compliance is an ongoing process, and data protection authorities will continue to share new guidance and publications. Since data protection programmes are complex and constantly evolving, leveraging OneTrust for privacy management helps Bertelsmann keep up with ongoing regulatory changes and report in case of an incident.

“Using a recognised tool like OneTrust instead of a manual, Excel-based solution is really helpful,” said Schlender. “We can prove we have structure, pre-defined roles, pre-defined documentation and reporting in the tool.”

Looking ahead to ePrivacy and beyond

Now that GDPR is here, Schlender and his team are looking ahead to other global regulations that will impact his privacy programme. Like many publishers, Schlender and his team are discussing the implications of the impending ePrivacy Regulation on his business. He is exploring opt-in versus opt-out models for online tracking technologies like cookies and is exploring tools and solutions like OneTrust to help with collecting and recording user consent.

“We are committed to data privacy,” Schlender finished. “We have a long tradition in data privacy and know that this is critical to gain and maintain trust with our B2C and B2B customers.”