- Data Mapping Automation
Ingram Micro Creates a Technology-Driven GDPR Compliance Program with OneTrust
Ingram Micro is a a global technology and supply chain services leader helping businesses realize the promise of technology. Through a spectrum of global technology solutions and supply chain services, businesses across the globe use Ingram Micro’s mobility, cloud and supply chain solutions to operate efficiently and successfully in the markets they serve.
With the passage of the GDPR, Ingram Micro understood there was an increasing risk impacting the company’s privacy practices. To prepare its global privacy program for GDPR, Ingram Micro hired Aaron Mendelsohn in 2016 as the Chief Data Privacy Officer. “We felt that if we could build a program based on GDPR compliance we’d be addressing 90 percent of the data frameworks and legal obligations worldwide,” he said. “We decided let’s get it right with GDPR in Europe and apply those solutions, processes and policies globally within the organization.”
Changing the mindset: a business-focused operation toward personal data protection
Ingram Micro’s operations are primarily B2B transactions. Mendelsohn understood, however, that B2B businesses also collect and process personal data under the GDPR – including employee records and business contacts and end users delivered to Ingram Micro from reseller networks.
“One of the first challenges was to shift the cultural mindset,” he explained. “We don’t deal with personal data in the same way as a lot of other technology companies. Internal education was required for the company to realize that we do process personal data and that we needed to get the tools in place to understand and manage the GDPR risk to the organization.”
Mendelsohn then took a proactive approach to Ingram Micro’s GDPR program. In the two years leading up to the GDPR deadline, he engaged with technology vendors, service providers, legal professionals and professional services to ensure Ingram Micro developed a privacy program with a strong foundation to implement compliance and position the company in the best defensible position.
“The flexibility of OneTrust helps us manage compliance beyond just privacy and security, making it an easy sell to our leadership.”Aaron MendelsohnChief Data Privacy Officer
Using OneTrust for privacy compliance and beyond
As a technology company itself, Ingram Micro understands the value of technology services to help solve major challenges. Mendelsohn evaluated OneTrust and quickly realized the value of the tool and the flexibility to adapt it for compliance across the organization.
The initial use case for OneTrust was to support assessments. “We really liked the assessment automation tool, and the foundation OneTrust provided allowed us to adapt those assessments to meet our needs,” said Mendelsohn. “I saw the flexibility, pricing model and additional modules. It was a no brainer in terms of getting it approved and budgeted.”
He activated OneTrust’s Assessment Automation Module for several use cases: third party management to assess service providers that process data on Ingram Micro’s behalf; privacy impact assessments within the organization so as new solutions were developed or there were core changes to existing environments Ingram Micro could assess risk and identify ways to mitigate that risk; and other purposes across the compliance team.
“The tool was so flexible we could use it beyond privacy and security, enabling us to use the assessment automation module to perform risk assessments within our organization, including anti money laundering, gifts and entertainment, antitrust, and general compliance risk,” he said.
Another major benefit of using OneTrust, according to Mendelsohn, is the central repository to track and maintain privacy-related activities and processes. He no longer had to manage the program through spreadsheets, the company intranet, or an unstructured data set. “Having it there in a tool is certainly beneficial,” he said.
The repository of information also equips Ingram Micro in the event of an inquiry. “If we are asked to show how we’re compliant, having a central repository gives us the assurance to know that we can exhibit our approach and how we’re complying – whether that was asked by supervisory authority, another government entity and even a customer,” said Mendelsohn.
Evangelizing privacy across Ingram Micro
While the GDPR enforcement date has passed and Ingram Micro has set up the foundation of its technology-powered privacy program, Mendelsohn knows the work is far from done. Looking beyond 2018, Mendelsohn plans to grow and expand the program and evangelize privacy-focused initiatives across Ingram Micro.
Through in person and online trainings, Mendelsohn has educated business unit leaders and executives about how to use OneTrust for risk assessments, privacy impact assessments and to ensure privacy by design and default. “The reception has been overwhelmingly positive,” he said.
Looking forward, he plans to activate a network of internal privacy ambassadors that will use their knowledge of privacy by design and OneTrust to assess and understand privacy risk as new services are developed or existing environments are changed. As the program develops and matures, Mendelsohn will continue to leverage OneTrust technology to assist in his efforts.
“OneTrust doesn’t have to be viewed as just a privacy tool,” he concluded. “Through the flexibility of the tool you can implement custom configurations, develop your own processes and leverage it across your compliance organization.”