- Media & Publishing
- Cookie Compliance
- Data Mapping Automation
- PIA & DPIA Automation
How Bertelsmann Manages GDPR for its Subsidiaries with OneTrust
Bertelsmann is one of the largest publishing groups in the world. Headquartered in Germany, Bertelsmann’s Divisions, including RTL Group, Penguin Random House, Arvato, Gruner + Jahr, and BMG, produce market- leading TV, books, magazines, music, services, print and education. With hundreds of subsidiaries and 117,000 employees across 50 countries, Bertelsmann is truly a global organisation.
A shifting media landscape, a new data protection challenge
Above all, Bertelsmann stands for entrepreneurship and creativity, a combination the company says promotes great content and innovative service solutions. Staying true to this mantra, Bertelsmann publishers have spent the last decade strategically shifting its strategy from a traditional print and TV focus to a multichannel and digital content distribution model. In addition to traditional books, magazines and TV shows, the company’s brands offer eBooks, online magazines and digital platforms to watch shows on demand. As the media industry continues to change, Bertelsmann leverages its foundational principles of entrepreneurship and creativity to grow.
For example, while Bertelsmann’s largest subsidiary RTL Group is traditionally a broadcast company, their various digital platforms make them the leading European media company in online video. “When customers watch content from their laptops and smartphones, they want to be sure we use their data in the way we promised,” said Sebastian Schlender, SVP and Data Protection Officer (DPO), Bertelsmann.
Using a recognised tool like OneTrust instead of a manual, Excel-based solution is really helpful. We can prove we have structure, pre-defined roles, pre-defined documentation and reporting in the tool.Sebastian SchlenderSVP & Chief DPO
As a result of this shift, Bertelsmann has a more digital interrelationship with its customers, Schlender explained. “We have access to personal data, and we need to process it in a way that is compliant to all the data protection regulations, including the GDPR.”
This digital content, and subsequently digital user information, is a major driver of growth for Bertelsmann groups, so compliance with data protection regulations is key to maintain trust between the publishers and its users.
A unified privacy strategy for hundreds of subsidiaries subject to GDPR
Prior to GDPR, Bertelsmann’s Group Data Protection team shaped its privacy strategies for the German market. His team had difficulty creating value-added services to non-German subsidiaries because the regulations were varied from country to country.
“That of course changed with the GDPR,” said Schlender. The GDPR does not apply to a single locale or country, it impacts any organisation that processes the data of EU citizens. Now, Bertelsmann could offer enhanced services and model documentation to its subsidiaries subject to GDPR.
The Bertelsmann Corporate Center decided to provide centralised data protection services for its subsidiaries. However, since the GDPR interpretation is also dependent on local and national data authorities, this standard policy needed to be flexible to cater to the local needs.
“This is one of the main reasons we chose OneTrust,” said Schlender. “The tool gives the subsidiaries the ability to use centralised, pre-defined documentations and guidelines and easily adapt to their local needs. It’s not our strategy to impose a solution and pretend one size fits all for all subsidiaries. We leveraged OneTrust so they don’t have to start from scratch. We provide a starting place and the flexibility to adapt what we delivered to their local needs.”
An enterprise solution for a global privacy programme Bertelsmann chose OneTrust to deliver a centralised privacy management service that can be adapted
and modified locally. Schlender leverages OneTrust’s roles-based access to give granular access to specific subsidiary DPOs. This means one group’s DPO can manage assessments and documentation for their organisation, but not alter or access another division’s OneTrust instance.
Schlender encourages his subsidiary DPOs to use OneTrust to help with records of processing across business owners. “It’s not the task of the data protection officer to do all the documentation work,” he said. “It’s the task of the business owners.”
OneTrust helps the subsidiary DPOs send out records of processing documentation to various business groups, such as HR or IT. “The tool gives us and the local subsidiaries the opportunity to shift the burden of documentation to other colleagues within their subsidiaries.”
This is one of the main reasons we chose OneTrust. The tool gives the subsidiaries the ability to use centralised, pre-defined documentations and guidelines and easily adapt to their local needs. We leveraged OneTrust so they don’t have to start from scratch. We provide a starting place and the flexibility to adapt what we delivered to their local needs.Sebastian SchlenderSVP & Chief DPO
Schlender and the DPOs across the organisation recognise that GDPR compliance is an ongoing process, and data protection authorities will continue to share new guidance and publications. Since data protection programmes are complex and constantly evolving, leveraging OneTrust for privacy management helps Bertelsmann keep up with ongoing regulatory changes and report in case of an incident.
“Using a recognised tool like OneTrust instead of a manual, Excel-based solution is really helpful,” said Schlender. “We can prove we have structure, pre-defined roles, pre-defined documentation and reporting in the tool.”
Looking ahead to ePrivacy and beyond
Now that GDPR is here, Schlender and his team are looking ahead to other global regulations that will impact his privacy programme. Like many publishers, Schlender and his team are discussing the implications of the impending ePrivacy Regulation on his business. He is exploring opt-in versus opt-out models for online tracking technologies like cookies and is exploring tools and solutions like OneTrust to help with collecting and recording user consent.
“We are committed to data privacy,” Schlender finished. “We have a long tradition in data privacy and know that this is critical to gain and maintain trust with our B2C and B2B customers.”