INTO University Partnerships (INTO) is an independent organization focused on expanding higher education opportunities for students worldwide. By working in partnership with universities in the United Kingdom, North America and Asia, they offer international students the opportunity to further their education and achieve academic success at leading universities.

With a mission to help universities create a rich and globally diverse environment for teaching and learning, INTO serves as the bridge between students seeking higher education opportunities and universities who seek to internationalize their teaching, research and engagement around the world. Through their partnerships, INTO provides unique opportunities for both students and universities that neither would be able to accomplish alone.

As a company that operates globally, interacting with thousands of people each day, from students, university faculty and INTO employees, they understand that privacy is a critical piece of their business. “We recognize that without the ability to process personal data, INTO would find it very difficult to operate,” said Veronica Morrison, Senior Manager, Data Governance and Data Protection Officer at INTO. “With a network that spans across the globe, we aren’t dealing with just one set of data subjects, but so much more, and it is imperative not only to the business, but to our data subjects as well, that we handle that data correctly.”

Educating internal teams on the importance of data protection

When Morrison came into her role as the first Data Protection Officer (DPO) at INTO, her goal was to set the company on a journey that would see its data governance and privacy program mature. Previously, INTO had focused on data quality and limited aspects of data governance. With the GDPR on the horizon, Morrison jumped fully into her role as DPO to help prepare INTO for the GDPR and to improve their data protection efforts.

“When I joined the INTO team, the GDPR was quickly approaching, and the implications of that and what it meant for us as a company hadn’t quite been grasped yet,” said Morrison. “Compliance with privacy legislation and the GDPR was something I had focused on in previous roles, so I was able to get those conversations started and work with senior stakeholders.”

One of the biggest challenges Morrison faced when working with internal stakeholders on INTO’s GDPR compliance efforts was the incorrect assumption that INTO only processed data for one data subject group. The reality is very different for the wider INTO Group which works in many locations globally.

“It was well-known internally that INTO holds a lot of data, but there weren’t any discussions happening around this fact,” said Morrison. “I brought data protection into conversations with colleagues in the UK and the US, putting privacy at the forefront of everyone’s mind, no matter their role at the company.”

As INTO began to ramp up their privacy program and prepare for the GDPR, Morrison realized that as a one-person team, she needed a solution to help manage the program. “I looked to what OneTrust was offering and a couple of other solutions as well,” said Morrison. “It was clear that OneTrust was the best fit for us, and as the product has improved and evolved over time it has become an even better fit.”

Embedding privacy into the global syllabus

INTO has since successfully leveraged OneTrust’s Assessment Automation (PIA/DPIAs), Data Mapping Automation and Cookie Consent and Website Scanning modules to streamline data protection and legislation compliance efforts across the entire organization.

One of the first tools that INTO implemented, OneTrust’s Assessment Automation, remains an integral part of their privacy program today. INTO was able to asses where they were as an organization in terms of compliance with the GDPR when they first began their compliance efforts, and they can continue to use it to take steps to further their organization on the path to compliance with OneTrust’s expansion of the Assessment module to now include other privacy laws as well as international standards.

“OneTrust’s dashboard approach within the entire tool, not only just in Assessment Automation, is really helpful in raising awareness and getting the right messages in front of C-suite and executive board members,” said Morrison. “Visual tools are so useful and easy to understand across every department, something that is very unique to the OneTrust platform.”

The INTO Group is made up of individual legal entities with several sources of personal data so it was a challenge for INTO to document the data flows throughout the organization. These multiple sources of data led to questions about the controllers and processors of that data. With OneTrust’s Data Mapping technology, INTO was able to address this complexity and improve the understanding of the intra-group data flows.

“Making sure that all the processing activities we do globally are attributed both to the right INTO entity remains our biggest challenge,” said Morrison. “With OneTrust we not only can ensure that data will be attributed to correct entities, but that we can do more with other modules as well.”

With OneTrust’s Cookie Consent and Website Scanning, INTO is able to manage cookie banners across eight different websites all under the INTO domain. Morrison has transitioned the management of cookies completely to INTO’s digital systems and digital marketing teams, allowing them to streamline global cookie and ePrivacy regulations compliance across all site to facilitate data subject consent for cookies, advertising, and tracking.

“The OneTrust tool is so flexible,” said Morrison. “It makes managing our various obligations from GDPR much easier – being able to transition different modules over to colleagues outside of the compliance team, not only making things achievable for me but embeds privacy into our culture.”

Graduating to CCPA, ePrivacy and beyond

As INTO looks beyond GDPR to other global privacy laws such as updated ePrivacy and new California Consumer Privacy Act (CCPA), Morrison has plans for leveraging other OneTrust modules for compliance efforts. With the CCPA fast approaching, and two INTO entities headquartered in San Diego, Morrison is working with colleagues to start compliance efforts around the new law.

“We know that both CCPA and ePrivacy Regulation will influence INTO when they become effective,” said Morrison. “I’m looking forward to the continued use of OneTrust to address these, as we did with the GDPR and hoping to add OneTrust’s Vendor Risk Assessment to INTO’s list of modules, so we can move forward with more risk assessments through the OneTrust platform as well.”

She added, “OneTrust links so well to individual elements of privacy legislation, something that has been very beneficial for us. The flexibility of the tool and the way we have been able to integrate other modules has allowed us to build a solid foundation for INTO’s privacy program.”