Using OneTrust for privacy compliance and beyond

As a technology company itself, Ingram Micro understands the value of technology services to help solve major challenges. Mendelsohn evaluated OneTrust and quickly realized the value of the tool and the flexibility to adapt it for compliance across the organization.

The initial use case for OneTrust was to support assessments. “We really liked the assessment automation tool, and the foundation OneTrust provided allowed us to adapt those assessments to meet our needs,” said Mendelsohn. “I saw the flexibility, pricing model and additional modules. It was a no brainer in terms of getting it approved and budgeted.”

He activated OneTrust’s Assessment Automation Module for several use cases: third party management to assess service providers that process data on Ingram Micro’s behalf; privacy impact assessments within the organization so as new solutions were developed or there were core changes to existing environments Ingram Micro could assess risk and identify ways to mitigate that risk; and other purposes across the compliance team.

“The tool was so flexible we could use it beyond privacy and security, enabling us to use the assessment automation module to perform risk assessments within our organization, including anti money laundering, gifts and entertainment, antitrust, and general compliance risk,” he said.

Another major benefit of using OneTrust, according to Mendelsohn, is the central repository to track and maintain privacy-related activities and processes. He no longer had to manage the program through spreadsheets, the company intranet, or an unstructured data set. “Having it there in a tool is certainly beneficial,” he said.

The repository of information also equips Ingram Micro in the event of an inquiry. “If we are asked to show how we’re compliant, having a central repository gives us the assurance to know that we can exhibit our approach and how we’re complying – whether that was asked by supervisory authority, another government entity and even a customer,” said Mendelsohn.

Evangelizing privacy across Ingram Micro

While the GDPR enforcement date has passed and Ingram Micro has set up the foundation of its technology-powered privacy program, Mendelsohn knows the work is far from done. Looking beyond 2018, Mendelsohn plans to grow and expand the program and evangelize privacy-focused initiatives across Ingram Micro.

Through in person and online trainings, Mendelsohn has educated business unit leaders and executives about how to use OneTrust for risk assessments, privacy impact assessments and to ensure privacy by design and default. “The reception has been overwhelmingly positive,” he said.

Looking forward, he plans to activate a network of internal privacy ambassadors that will use their knowledge of privacy by design and OneTrust to assess and understand privacy risk as new services are developed or existing environments are changed. As the program develops and matures, Mendelsohn will continue to leverage OneTrust technology to assist in his efforts.

“OneTrust doesn’t have to be viewed as just a privacy tool,” he concluded. “Through the flexibility of the tool you can implement custom configurations, develop your own processes and leverage it across your compliance organization.”