MSX International (MSX) is a leading provider of technology-enabled business process outsourcing (BPO) services to automotive manufacturers with offices across the globe. They combine the industry expertise into technology into BPO, which enables original equipment manufacturers (OEMs) to be more profitable. MSX has been in the market for over 25 years and the company overall has been in existence for 80.

A team with a mission was born 

 Due to the big push coming from the EU’s GDPR, and therefore the global responsibility for information security and compliance, MSX founded a dedicated team in 2017 called the GDPR Initiative, which turned into their Information Security & Compliance Team. 

 Their geographic focus is on three primary regions: Europe, Asia Pacific, and America with Khris Hruska, Global Director of Information Security and Compliance, and Holger Erb, Information Security and Compliance Manager, EU. The team’s main focus is GDPR-initiated compliance for both maintaining regulatory compliance and OEM compliance. In addition, they have added security operations. 

Next to GDPR, the team focuses also on ISO 27001, NIST, CCPA and LGPD due to their customer’s needs. If new requirements arise, the global team has to be aware and react. ‘So, there’s a massive requirement for emerging compliance requirements that we have to manage’, says Khris. ‘And really OneTrust has been one of the central applications that’s grown up with us over the last few years as we’ve built up the InfoSec.’

OneTrust becomes an indispensable instrument 

 The challenge for the InfoSec & Compliance team was to establish a comprehensive platform that fulfilled all their needs. At the end of 2017, the InfoSec and Compliance Team selected OneTrust as the platform to accomplish their mission.

 Initially starting with the OneTrust Data Mapping tool, the first processing activity and asset assessments took place in March 2018. Due to the changes in Europe with the GDPR, the team realized that the OneTrust platform can do more. They expanded with Vendor Risk Management, Data Subject Request, Incident Management, Maturity & Planning and Cookie Compliance.

 OneTrust has become a vital piece of the team. “We can’t do it without OneTrust,” says Holger. “It has become a central component of our compliance and security ecosystem. It’s been on the cutting edge of new compliance and regulatory requirements like LGPD and CCPA.”

How OneTrust helps MSX’s InfoSec & Compliance team on a global level

 Data Mapping: The InfoSec & Compliance Team uses different OneTrust modules to address several challenges and simplify their daily routine. Before the implementation, all processing activities and assets were saved in different systems and Excel charts. At the initial start, they uploaded over 1,800 processing activities and 700 people to the system. Now, Data Mapping is part of the team’s core processes.

 DSAR: MSX receives several data subject requests from their clients that need to be addressed and answered. The process differs from region to region and by location. “GDPR really forced us to be in a position to have to respond within a time bound piece,” notes Hruska, “And we didn’t have a good way of doing it.” Implementing the DSAR module was massively beneficial to MSX as it allows them to control the workflow, gather the exact information needed, work with people directly, and ensure that things are met in time.

 Incident Management: Incident Management is a recent entry for MSX which they use exclusively to manage incident responses. MSX has created templates through the self-service portal that people can fill out to report their own security incidents. Additionally, the team has created automated assessments for data loss protection issues with an “alarm” that allows them to create a security incident.

 Maturity and Planning: For any standard integration such as ISO 27001 or PCI DSS, the InfoSec & Compliance team uses a dashboard. Additionally, they have implemented a new process that their compliance managers use to generate dashboards on all of their ongoing audits. This allows MSX to communicate within the organization about the compliance status, whether they’re compliant, and show items that need to be addressed in order to move things along.

 Vendor Risk Management: MSX uses a self-service portal for their vendors for any security incidents that have happened, new programs they want to apply for, and more. This allows vendors to go into the system and immediately fill out all required information without even having to open a ticket with MSX. “We just saw in the Asia Pacific environment; we had a security incident where the person was able to go in the OneTrust platform and actually kick off their own self service portal request instead of opening a ticket. We were able to immediately jump in and start working through the issue much faster” says Khris. “It cuts off the red tape and gets the issue right into the inbox.”

Cookie Compliance: The InfoSec & Compliance Team has been using OneTrust Cookie Compliance, mainly for mergers and acquisitions, to validate how websites are being set up. The team doesn’t push the banner onto websites, but they do share the code generated from OneTrust with the site’s developers so that they can implement banners themselves. From a change control perspective, MSX gets notified of changes, such as how an application or website has changed. This gives the team instructions to maintain compliance within it.

“Thanks to OneTrust for creating a new standard for how compliance is conducted and for continuously improving it further,” concludes Khris. “The three-dimensional component of the platform with assets, processing activities and vendors gives companies a very holistic view of what a program really looks like, identify where your dependencies are and creates a very strong compliance framework which is really easy to get in a clean process in front of auditors.”