British Council

The British Council builds a globally connected privacy program

man and woman sitting in park looking at a mobile device

The British Council is the UK’s leading international organization for cultural relations and educational opportunities. Their core goals are building connections, understanding and trust between people in the UK and other countries through arts and culture, education and the English language. Setup by royal charter, the British Council’s network of 12,000 employees operate in over 120 countries, and in 2019-20 they directly connected with 80 million people. 

One of the British Council’s core values is ‘valuing people’, treating people with courtesy and respect extends to how they treat people’s data as well. Ensuring a compliant global privacy program and being transparent and open about what data they are collecting and how it is used. 

As the British Council has a substantial overseas presence, global user-base, and focus on charitable work with vulnerable groups, bringing the ‘valuing people’ core tenant to live is key inside the company’s privacy operations. To make this happen they needed a tool that could stretch to their global needs and ensure centralized management.


"Privacy isn’t a barrier to innovation, it’s a gateway and OneTrust has put privacy back into the hands of the individual".


Tumi Atolagbe, Information Governance and Risk Advisor

A study in Global Privacy with OneTrust

The scale at which the British Council operates requires a highly effective way of managing their global privacy program. Using GDPR compliance as a base, they scaled their program, implementing OneTrust in numerous jurisdictions around the world with the necessary localization. The diversity of assets required a technology with a wide range of solutions. 

Tumi Atolagbe, Information Governance and Risk Advisor at the British Council, felt that the organization’s key need was a technology-based solution that could match the scale and diversity of their operations. 

“Using OneTrust’s Data Mapping solution for Article 30 Record of Processing was a really good way for us to map all of our systems. We are data intensive, China for example, which is our biggest market, means we have incredibly large databases, so the data mapping capabilities of OneTrust made it a clear winner,” said Tumi.

To elevate and centralize their global privacy program, the British Council invested in Assessment Automation, Data Mapping, Cookie Consent, OneTrust DataGuidance.


The art of compliance through Assessments, Data Mapping and Cookies

The Assessment Automation module reduced much of the time-consuming manual work for Tumi and her team. The easily accessible PIAs were simple to setup within their organizational hierarchy and the ability to create their own templates meant they could implement flexibility with their assessments.

"In regions where we have older or paper-based systems, issues around recording of consent forms can be more complex. The Assessment Automation module helps us flag these risks, map them and produce consistent recommendations across the regions".


Tumi Atolagbe, Information Governance and Risk Advisor

During their GDPR implementation, British Council decided to treat all operations with “high risk”, thus requiring a Privacy Impact Assessment by default and instead implemented a risk threshold into the process of doing the PIA. The conditional logic function allowed for a bespoke way to raise risks from inputted data. Any risks which are flagged automatically can be reported on and built into a geographical map and risk profile.

“In regions where we have older or paper-based systems, issues around recording of consent forms can be more complex. The Assessment Automation module helps us flag these risks, map them and produce consistent recommendations across the regions,” described Tumi.

As both a data processor and controller under the GDPR, Article 30 reports were one of British Council’s biggest challenges. With OneTrust, Tumi and her team can generate clear reports that not only helps improve efficiency within processes, but also improve accountability. This functionality closely ties in with the Data Mapping module which, alongside a great number of assets across the organization, helps Tumi and her team detail records of processing. For example, British Council can link a PIA to an inventory record and demonstrate the link between the record of processing and the assurance framework. OneTrust has enabled the British Council to build and maintain a clear overview of their data flows.

Cookie Consent has also been an invaluable tool in ensuring a compliant online presence across the British Council’s 250 websites. A key selling point for Cookie Consent was that it enabled them to scan all websites for cookies and other tracking technologies. Before OneTrust, this was all done in-house and was difficult to maintain in light of a changing regulatory landscape. Automating the process through OneTrust has enabled British Council to seamlessly manage cookie compliance across their web properties.

Since integrating a new cookie banner providing visitors with clear and concise information, British Council has seen how this has impacted user interactions with their sites.

“OneTrust’s Cookie Consent was invaluable. It reduced the resource that we were going to have to spend if we did it in-house. Also, the fact that Cookiepedia can pick up and reassign existing cookies is amazing,” said Tumi


First class research with OneTrust DataGuidance

OneTrust DataGuidance has enabled the British Council to centralize and focus their privacy research. Being able to generate reports, particularly on enforcement actions, and send them to regional Information Governance Advisors, is useful for ensuring that they also stay up to date. According to Tumi, no other provider on the market provided the same coverage as OneTrust DataGuidance.

"It’s invaluable, you don’t realize how much time you spend researching until you save that time with OneTrust DataGuidance. It’s one in a million".


Tumi Atolagbe, Information Governance and Risk Advisor

“We have to provide key stakeholders with assurance that we are keeping up to date with global privacy laws and frameworks within which we operate, and the DataGuidance News Tracker has been vital in ensuring we keep on top of developments,” said Tumi.

The Comparison Charts have been very useful in helping to identify requirements in different countries, for example breach notification requirements, and being able to do so at a glance. These charts link to further information in the form of Guidance Notes, which allows the privacy team to deep dive into their research and then map those requirements.

The ability to setup email notifications makes it much easier for Tumi to keep relevant colleagues up to date, and boost awareness of new developments. Setting up regional alerts is particularly useful when the British Council is setting up regional offices in different jurisdictions helping them ensure compliance with the relevant requirements. Specific projects can be logged and tracked in the Workspaces functionality, which has helped keep research organized and the alerts function again ensures no updates are missed.

DataGuidance has helped Tumi and her colleagues draw their privacy research together and ensure that they can keep on top of numerous regulations with which they need to be compliant.

The most significant benefit of the DataGuidance module is the time that it saves, by streamlining and directing research, said Tumi “It’s invaluable, you don’t realize how much time you spend researching until you save that time with OneTrust DataGuidance. It’s one in a million.” 


Picture perfect privacy with OneTrust

Tumi and her team at the British Council are seeing true ROI from their OneTrust implementation.  The PIA process and Privacy by Design have become embedded into the organization, and employees have a better understanding of privacy in relation to their role. The dashboards are user-friendly, accessible and importantly they reduce the amount of manual admin.

“Privacy isn’t a barrier to innovation, it’s a gateway. OneTrust has put privacy back into the hands of the individual,” said Tumi.

Looking to the future of the British Council’s privacy program there will be many new projects in regions where new regulations may go beyond the GDPR and they will be paying close attention to developments with the ePrivacy Directive, but one thing is clear that’s the fact that OneTrust will be playing a big part in all of their new projects.

You may also like


Responsible AI

Unpacking the EU AI Act

Prepare your business for EU AI Act and other AI regulations with this expert webinar. We explore the Act's key points and requirements, building an AI compliance program, and staying ahead of the rapidly changing AI regulatory landscape.

July 12, 2023

Learn more


Consent & Preferences

Live demo: How to automate consent and preference management with OneTrust

In this webinar, we demonstrate how OneTrust Consent and Preferences helps build stronger customer relationships by providing transparency, giving users control over their data use, and delivering personalized experiences.

June 29, 2023

Learn more


Privacy Management

Unpacking the EU-US DPF

In this webinar, we cover the new EU-US Data Privacy Framework (EU-US DPF) and what privacy program managers need to know for post-Schrems II data transfers.

June 28, 2023

Learn more