Natural History Museum

Bringing privacy to life at the Natural History Museum

Photo of architectural details outside of a building

The Natural History Museum is one of the world’s most well-known museums. Internationally recognized as a center of excellence for scientific research and public engagement, the museum is one of the UK’s most popular visitor attractions.

The Information Management team of three is led by Data Protection Officer Esme Chapman, whose overall vision for the privacy program was to have a centralized solution to harmonize the breadth of departments that comprise the Natural History Museum.

Compliance can feel like a mammoth challenge

The Natural History Museum’s operations encompass an extensive range of activities including scientific research, public engagement, education programs, and marketing. Processes and teams were often siloed, and the culture of privacy varied across the different areas. At times GDPR compliance felt like a mammoth task. To streamline compliance operations and develop a more consistent and engaged approach to privacy, the Natural History Museum needed a customizable, user-friendly solution to bring together all areas of their privacy program. 

Richard Hinton, Head of TS and Enterprise Architecture Planning at the Natural History Museum shared that the increased activities, including GDPR compliance, demonstrated a need for a tool to support their privacy program. “We needed to move away from spreadsheets and introduce a more accessible and user-friendly means of managing our data processing activities,” said Richard.

Spreadsheets out, centralized solution in

With such a diverse range of operations all sitting under the Natural History Museum’s logo, one person alone cannot manage data protection for everyone, rather individuals need to be empowered to engage with their data protection responsibilities actively. OneTrust provided a centralized point of access for crucial data protection tasks, including record-keeping and assessments. The centralized hub meant that Esme could more easily navigate through their processes and track progress more readily.

"OneTrust has quickly become an important part of our information space."


Richard Hinton, Head of TS and Enterprise Architecture Planning

The intuitive nature of the OneTrust tool meant that it was easy for Esme to quickly familiarize herself with how it could be used, and also meant that it was easily adopted across the Museum by everyone who would be filling in assessment forms for things such as Data Protection Impact Assessments and Records of Processing Activities. The ability to direct specific assessments directly to process and data owners across the Museum helped Esme to reduce the manual work involved in completing assessments, as requests for completion could be automatically sent to the right people and filled in directly via OneTrust’s Assessment Automation Module. OneTrust tools have been instrumental in empowering employees and understand how privacy is relevant to their role, creating more engaged teams and cross-departmental collaboration on privacy compliance.  

Implementation? That’s ancient history now

An all-encompassing data mapping exercise was the first task on the agenda for the Natural History Museum team. This provided an overview of what personal data processes were taking place across the Museum, and then the detail required for compliance with GDPR Article 30 was added in by sending out a Records of Processing Assessment for each process. To get up and running with the Data Mapping module and complete their Record of Processing Activities took the Natural History Museum approximately five months.

"We know that what we tell people in our Privacy Notice about how we process personal data is true and accurate, and the reporting functionality of the OneTrust tools helps us to demonstrate that."


Esme Chapman, Data Protection Officer

This foundation step provided Esme with a clear framework that she could then build upon with other privacy information such as Data Protection Impact Assessments (DPIAs) and Legitimate Interest Assessments (LIAs), and this could in turn be used to inform the content of the Museum’s public facing Privacy Notice.  

A clear and accurate Privacy Notice is of course important in helping to build and maintain consumer trust. “We know that what we tell people in our Privacy Notice about how we process personal data is true and accurate, and the reporting functionality of the OneTrust tools helps us to demonstrate that,” said Esme. 

A privacy program for the ages

For the Natural History Museum team, the most significant benefit of their OneTrust implementation has been the ability to seamlessly coordinate data privacy tasks. It also provides Esme and her team with centralized and long-term visibility of their privacy management obligations, for example with data incidents. A centralized tool means being able to easily keep track of data incidents, track and manage remediation tasks, and record notification decisions and outcomes. 

This efficiency has also been noticeable when it comes to data protection impact assessments (DPIAs) and legitimate interest assessments (LIAs), with employees being able to complete them more easily and with greater understanding than previous ‘paper’ forms. This helps ensure there are sufficient and accurate records, providing greater accountability as to how the Museum is meeting the legal requirements set out in data protection law. 

“OneTrust has quickly become an important part of our information space,” said Richard. 

With individuals being at the heart of any strong privacy program, the Natural History Museum takes pride in the fact that they prioritize transparency and accountability. OneTrust’s Assessment Automation and Data Mapping tools have helped them build a clear understanding of the data they are processing and makes it easier to check that the appropriate risk assessments and legal basis are being used.

“OneTrust has given us confidence that we can evidence how we are accountable to both the law and to the expectations of the individual’s whose information we hold,” said Esme.

You may also like


Privacy Management

Managing data transfers within the UK & EU

Join our experts as we discuss ways to effectively manage data transfers between the UK & EU while staying compliant with the latest privacy regulations.

October 31, 2023

Learn more


Data Discovery & Security

A guided tour of OneTrust Data Discovery magic

Our expert speaker will demonstrate how common real-world data challenges can be identified, addressed, and reported on, leading to better data governance, security, and alignment with business goals. 

October 26, 2023

Learn more


Data Discovery & Security

Data minimization and risk assessment in data discovery

Explore the concept of data minimization and its crucial role in enhancing security, privacy, and reducing risk.

October 19, 2023

Learn more