A study in Global Privacy with OneTrust

The scale at which the British Council operates requires a highly effective way of managing their global privacy program. Using GDPR compliance as a base, they scaled their program, implementing OneTrust in numerous jurisdictions around the world with the necessary localization. The diversity of assets required a technology with a wide range of solutions. 

Tumi Atolagbe, Information Governance and Risk Advisor at the British Council, felt that the organization’s key need was a technology-based solution that could match the scale and diversity of their operations. 

“Using OneTrust’s Data Mapping solution for Article 30 Record of Processing was a really good way for us to map all of our systems. We are data intensive, China for example, which is our biggest market, means we have incredibly large databases, so the data mapping capabilities of OneTrust made it a clear winner,” said Tumi.

To elevate and centralize their global privacy program, the British Council invested in Assessment Automation, Data Mapping, Cookie Consent, OneTrust DataGuidance.

The art of compliance through Assessments, Data Mapping and Cookies

The Assessment Automation module reduced much of the time-consuming manual work for Tumi and her team. The easily accessible PIAs were simple to setup within their organizational hierarchy and the ability to create their own templates meant they could implement flexibility with their assessments.

During their GDPR implementation, British Council decided to treat all operations with “high risk”, thus requiring a Privacy Impact Assessment by default and instead implemented a risk threshold into the process of doing the PIA. The conditional logic function allowed for a bespoke way to raise risks from inputted data. Any risks which are flagged automatically can be reported on and built into a geographical map and risk profile.

“In regions where we have older or paper-based systems, issues around recording of consent forms can be more complex. The Assessment Automation module helps us flag these risks, map them and produce consistent recommendations across the regions,” described Tumi.

As both a data processor and controller under the GDPR, Article 30 reports were one of British Council’s biggest challenges. With OneTrust, Tumi and her team can generate clear reports that not only helps improve efficiency within processes, but also improve accountability. This functionality closely ties in with the Data Mapping module which, alongside a great number of assets across the organization, helps Tumi and her team detail records of processing. For example, British Council can link a PIA to an inventory record and demonstrate the link between the record of processing and the assurance framework. OneTrust has enabled the British Council to build and maintain a clear overview of their data flows.

Cookie Consent has also been an invaluable tool in ensuring a compliant online presence across the British Council’s 250 websites. A key selling point for Cookie Consent was that it enabled them to scan all websites for cookies and other tracking technologies. Before OneTrust, this was all done in-house and was difficult to maintain in light of a changing regulatory landscape. Automating the process through OneTrust has enabled British Council to seamlessly manage cookie compliance across their web properties.

Since integrating a new cookie banner providing visitors with clear and concise information, British Council has seen how this has impacted user interactions with their sites.

“OneTrust’s Cookie Consent was invaluable. It reduced the resource that we were going to have to spend if we did it in-house. Also, the fact that Cookiepedia can pick up and reassign existing cookies is amazing,” said Tumi

First class research with OneTrust DataGuidance

OneTrust DataGuidance has enabled the British Council to centralize and focus their privacy research. Being able to generate reports, particularly on enforcement actions, and send them to regional Information Governance Advisors, is useful for ensuring that they also stay up to date. According to Tumi, no other provider on the market provided the same coverage as OneTrust DataGuidance.

“We have to provide key stakeholders with assurance that we are keeping up to date with global privacy laws and frameworks within which we operate, and the DataGuidance News Tracker has been vital in ensuring we keep on top of developments,” said Tumi.

The Comparison Charts have been very useful in helping to identify requirements in different countries, for example breach notification requirements, and being able to do so at a glance. These charts link to further information in the form of Guidance Notes, which allows the privacy team to deep dive into their research and then map those requirements.

The ability to setup email notifications makes it much easier for Tumi to keep relevant colleagues up to date, and boost awareness of new developments. Setting up regional alerts is particularly useful when the British Council is setting up regional offices in different jurisdictions helping them ensure compliance with the relevant requirements. Specific projects can be logged and tracked in the Workspaces functionality, which has helped keep research organized and the alerts function again ensures no updates are missed.

DataGuidance has helped Tumi and her colleagues draw their privacy research together and ensure that they can keep on top of numerous regulations with which they need to be compliant.

The most significant benefit of the DataGuidance module is the time that it saves, by streamlining and directing research, said Tumi “It’s invaluable, you don’t realize how much time you spend researching until you save that time with OneTrust DataGuidance. It’s one in a million.” 

Picture perfect privacy with OneTrust

Tumi and her team at the British Council are seeing true ROI from their OneTrust implementation.  The PIA process and Privacy by Design have become embedded into the organization, and employees have a better understanding of privacy in relation to their role. The dashboards are user-friendly, accessible and importantly they reduce the amount of manual admin.

“Privacy isn’t a barrier to innovation, it’s a gateway. OneTrust has put privacy back into the hands of the individual,” said Tumi.

Looking to the future of the British Council’s privacy program there will be many new projects in regions where new regulations may go beyond the GDPR and they will be paying close attention to developments with the ePrivacy Directive, but one thing is clear that’s the fact that OneTrust will be playing a big part in all of their new projects.