As a company that operates globally, interacting with thousands of people each day, from students, university faculty and INTO employees, they understand that privacy is a critical piece of their business. “We recognize that without the ability to process personal data, INTO would find it very difficult to operate,” said Veronica Morrison, Senior Manager, Data Governance and Data Protection Officer at INTO. “With a network that spans across the globe, we aren’t dealing with just one set of data subjects, but so much more, and it is imperative not only to the business, but to our data subjects as well, that we handle that data correctly.”
Educating internal teams on the importance of data protection
When Morrison came into her role as the first Data Protection Officer (DPO) at INTO, her goal was to set the company on a journey that would see its data governance and privacy program mature. Previously, INTO had focused on data quality and limited aspects of data governance. With the GDPR on the horizon, Morrison jumped fully into her role as DPO to help prepare INTO for the GDPR and to improve their data protection efforts.
“When I joined the INTO team, the GDPR was quickly approaching, and the implications of that and what it meant for us as a company hadn’t quite been grasped yet,” said Morrison. “Compliance with privacy legislation and the GDPR was something I had focused on in previous roles, so I was able to get those conversations started and work with senior stakeholders.”
One of the biggest challenges Morrison faced when working with internal stakeholders on INTO’s GDPR compliance efforts was the incorrect assumption that INTO only processed data for one data subject group. The reality is very different for the wider INTO Group which works in many locations globally.
“It was well-known internally that INTO holds a lot of data, but there weren’t any discussions happening around this fact,” said Morrison. “I brought data protection into conversations with colleagues in the UK and the US, putting privacy at the forefront of everyone’s mind, no matter their role at the company.”
As INTO began to ramp up their privacy program and prepare for the GDPR, Morrison realized that as a one-person team, she needed a solution to help manage the program. “I looked to what OneTrust was offering and a couple of other solutions as well,” said Morrison. “It was clear that OneTrust was the best fit for us, and as the product has improved and evolved over time it has become an even better fit.”
Embedding privacy into the global syllabus
INTO has since successfully leveraged OneTrust’s Assessment Automation (PIA/DPIAs), Data Mapping Automation and Cookie Consent and Website Scanning modules to streamline data protection and legislation compliance efforts across the entire organization.
One of the first tools that INTO implemented, OneTrust’s Assessment Automation, remains an integral part of their privacy program today. INTO was able to asses where they were as an organization in terms of compliance with the GDPR when they first began their compliance efforts, and they can continue to use it to take steps to further their organization on the path to compliance with OneTrust’s expansion of the Assessment module to now include other privacy laws as well as international standards.