Drax Group

Drax power privacy with OneTrust

Wind turbines and solar panels

In 2019 Drax announced a world-leading ambition to be carbon negative by 2030, using Bioenergy with Carbon Capture and Storage (BECCS) technology. Their employees operate across three principal areas of activity – electricity generation, electricity sales to business customers and compressed wood pellet production and supply to third parties. They own and operate a portfolio of renewable electricity generation assets in England and Scotland, including the UK’s largest power station in Selby, North Yorkshire, which supplies five percent of the country’s electricity needs; and Drax also owns and has interests in pellet mills in the US South and Western Canada. Employing 3,400 people in the UK, North America and Canada, and supporting about 200k customers, Drax takes responsibility for protecting their personal data at every stage of processing and storage.

Providing a high standard of data protection is key to Drax’s approach to privacy, and they were working towards GDPR compliance since well before the legal requirement was introduced in 2018. 


Building better visibility across Drax Group’s operations

Drax’s privacy team have clear goals for what they need from a technology solution: they need to know what data they have, where it is stored, who has the right to access, and what to do in response to an incident. They needed a tool that could support a large volume of requests and assessments, as well as technology that could support cross-team collaboration, particularly with their Information Security colleagues who play an important role in incident management. To support these needs, they chose to implement a range of OneTrust modules, including Assessment Automation, Data Mapping, Data Subject Requests, Vendor Risk Management, Incident Response, Cookie Compliance, and Awareness Training.


"The collaboration with the Cyber Security team allowed us to implement OneTrust technology without introducing new risks".


Florence Ampofo-Anim, Data Protection Manager


Florence Ampofo-Anim, Data Protection Manager at Drax highlights that collaboration with Drax’s Cyber Security colleagues was an important part of the implementation process. OneTrust provided all the information needed to plot the appropriate route to connect OneTrust to ServiceNow, as well as a Power BI integration.

“The collaboration with the Cyber Security team allowed us to implement OneTrust technology without introducing new risks,” said Florence.

The Data Mapping module is helping Drax build out their asset register. They have created a form that, when filled in, will automatically populate their asset register, saving the team time and increasing accuracy. This also helps with security measures, as Data Champions do not need access to the full site but can just access the necessary form. 

“The Data Mapping module is helping to facilitate a full list of information assets, so stretching the functionality beyond just privacy,” said Florence.

The Cookie Compliance module was rolled out across Drax’s 12 domains and is an important aspect of their public-facing privacy program.


The data subject requests module powers more than just subject access requests

“The DSAR module is my absolute favourite, we are able to use it for so much more than fulfilling individual rights,” said Florence.

Being able to implement the DSAR module for a wide range of other data management tasks has added real value and return on investment. Drax is able to use the module to improve law enforcement collaboration including request verification for the police and HMRC, facilitate COVID-19 reporting, handle employee monitoring requests, and record advice and guidance given to show where questions around privacy are arising.


"The DSAR module is my absolute favourite, we are able to use it for so much more than fulfilling individual rights."


Florence Ampofo-Anim, Data Protection Manager


“Recording advice and guidance in the DSAR module allows us to be more intelligence led, we can support teams with additional training and documents where we see the need arise,” said Florence.

A great example of where recording advice and guidance in the DSAR module has been useful is that it showed that the HR department had a lot of questions about data sharing. This visibility has enabled the privacy team to set up dedicated training to provide clarity on where the boundaries lie and what is and isn’t appropriate when sharing data.


Powering growth with privacy modules

Some of the key benefits of Drax’s OneTrust implementation is that the now centralized point of management is much more user-friendly, secure and allows greater visibility than the previous systems of Excel spreadsheets and Word documents. This visibility has been particularly useful in Ethics and Business Conduct Committee meetings, as the team can show the OneTrust dashboards for a clear visual representation of what is impacting the business.

With OneTrust modules providing vital support for Drax’s rights fulfilment, the next step for their program is to maximize the impact of automation and increase efficiency across their program.

You may also like


Responsible AI

Unpacking the EU AI Act

Prepare your business for EU AI Act and other AI regulations with this expert webinar. We explore the Act's key points and requirements, building an AI compliance program, and staying ahead of the rapidly changing AI regulatory landscape.

July 12, 2023

Learn more


Consent & Preferences

Live demo: How to automate consent and preference management with OneTrust

In this webinar, we demonstrate how OneTrust Consent and Preferences helps build stronger customer relationships by providing transparency, giving users control over their data use, and delivering personalized experiences.

June 29, 2023

Learn more


Privacy Management

Unpacking the EU-US DPF

In this webinar, we cover the new EU-US Data Privacy Framework (EU-US DPF) and what privacy program managers need to know for post-Schrems II data transfers.

June 28, 2023

Learn more