Migros-Genossenschafts-Bund (Migros) is Switzerland’s largest retailer and supermarket chain. Structured in the form of a cooperative society, Migros’ customer loyalty program has over two million participating households, covering almost half of Switzerland’s population. Migros’ subsidiaries cover a wide range of markets, including supermarkets, convenience stores, a health care provider, travel agency, bank, ecommerce business and many others. More than 90 percent of goods sold in Migros stores are produced by its subsidiaries.

As the largest employer in Switzerland and the operator of Switzerland’s largest customer loyalty program, Migros understands the importance of privacy to their business.

“Privacy is a very important element to us,” said Matthias Glatthaar, Head Data Privacy and Digital at Migros. “Although we have a diverse group of brands, our loyalty program is at our core, and ensuring that we protect our customer’s personal data is vital for the success of that program.”

Centralizing data protection with loyalty at its core

As a company that has been around for over 95 years, one of the biggest challenges Migros faced with their GDPR implementation was discovering the many ways in which they process data, and finding a way to centralize their approach to privacy.

“We are a legacy company, so we’ve been around for a long time and we have a lot of fractured and decentralized processes,” said Glatthaar. “With our incredibly diverse group of brands we had to decide how we can feasibly approach our GDPR implementation from a group perspective.”

As the largest and most well-known customer loyalty program in Switzerland, three out of every five transactions are done through the program at Migros’ stores. Migros processes their customer’s data and generates it through their loyalty card, allowing them to use that data for personalized coupons and ads. With the core of their data processing activities done through their customer loyalty program, Migros needed a solution to allow them to responsibly use the data of it’s over 2.8 million members, while still remaining compliant with the GDPR and other regulations.

In addition, Migros processes data in different ways through their many subsidiaries, including a health care provider that processes sensitive health data and several ecommerce companies processing online data from their many transactions.

With the large amounts of data processed, Migros recognized from the start that they needed a technology to help. “We knew that it was not an option to use excel for data mapping, our processes were much too complex,” said Glatthaar. “When we looked at the market and we came across OneTrust, it was clear that it was the best fit for us and our privacy program.”

Simplifying a labor-intensive process with OneTrust

Migros has successfully leveraged OneTrust’s Data Mapping Automation, Assessment Automation, Vendor Risk Management, Incident & Breach Response and Cookie Consent & Website Scanning to streamline data protection efforts across the entire organization.

One of the first tools that Migros implemented, OneTrust’s Data Mapping Automation, is the central piece of their privacy program. Due to the large amounts of personal data they process that flow across the organization, data mapping provided a solid foundation for them to build the rest of their privacy program.

“OneTrust Data Mapping is incredibly easy to use and understand,” said Thorsten Klaas-Wissing, Privacy Implementation Project Manager at Migros. “It is so flexible and agile that we are easily able to add DPIAs or threshold assessments into the platform without any added work. We use the extensive and still growing number of templates in the OneTrust platform to meet our specific needs, which is very beneficial with expanding the scope of our privacy program.”

With OneTrust Assessment Automation, Migros sends out questionnaires with their data mapping activities to ensure the mapping is on track. “After little personal training effort, we sent out the questionnaires to different groups in Migros and from there people were able to fill them in on their own,” said Klaas-Wissing. “This helped streamline the processes across our organization.”

Migros has a large inventory of vendors in their system, and with OneTrust Vendor Risk Management they get an overview of those vendors and can properly classify the risks with each one, and then feed that through Assessment Automation to generate appropriate questionnaires.

OneTrust Incident & Breach Response allows the Migros team to have a process to file and structure any incidents that may take place, so they have the proper preparations in place to respond. Lastly, with OneTrust Cookie Consent and Website Scanning, several of Migros’ subsidiaries have implemented a cookie banner on their website to inform visitors of their use of tracking technologies.

Navigating and adapting to a new global privacy landscape

With a solid foundation for their privacy program, the Migros team is beginning to look beyond the GDPR to other global privacy regulations including the ePrivacy Regulation and the Swiss Data Protection Act, which is currently under revision and will likely be adopted in the next one to two years.

“The regulatory landscape is so dynamic, and there is still a lot of work that needs to be done and preparations that need to be put in place,” said Glatthaar. “Our goal is to move as many of our processes as possible into OneTrust to make it a central hub for our data protection efforts.”

Additionally, Migros is currently evaluating the implementation of OneTrust’s Data Subject Rights Management module so they will be able to successfully track and respond to data subject access requests. They are also looking to expand their use of Vendor Risk Management and Incident & Breach Response as well as develop their DPIA processes into more assessments.

“What we really like about OneTrust is it’s developing so fast, there are new releases every few weeks,” said Glatthaar. “The platform is adapting and changing to not only keep up with the global privacy landscape, but also to adapt to what the Migros team needs specifically, something that is incredibly unique for a platform of this size and scale.”