Serco transforms their privacy program with OneTrust leading the way

Hallway of architectural arches

Serco Plc is an FTSE 250 company and international provider of public services to governments throughout the UK & Europe. With many contracts across the region, Serco operates across the defense, justice and immigration, transport, health and citizen services sectors, making them responsible for transforming the delivery of vital services on behalf of governments and other public sector organisations.

From making patients feel comfortable while in hospital, teaching prisoners valuable life skills, ensuring trains run on time, improving road safety and maintaining essential services for government defense, Serco is making a difference for thousands of people who use its services.

Serco understands their end users have a heightened sense of vulnerability and the company holds a large amount of sensitive data, so ongoing privacy operations are essential to mitigating risk for the business, as well as its customers, vendors, and employees.

To operationalise their privacy operations, Serco’s Julie Varcoe-Cocks, Head of Ethics, Regulatory and Compliance and DPO worked to enhance their privacy program.

"We operate in a diverse number of sectors and work on many contracts, so we decided to build upon our current information governance framework to most efficiently and effectively manage our privacy operations."


Julie Varcoe-Cocks, Head of Ethics, Regulatory and Compliance and DPO

Focusing on a GDPR-ready privacy program

Two years before the effective date of GDPR Varcoe-Cocks developed a GDPR education proposal with senior management. She understood that GDPR was not just a compliance requirement, but crucial that business units across the company were on board with the strategy and approach to the regulation. To build upon this cross-function effort, Serco formed a data governance committee which brainstormed the various ways in which the GDPR could apply, as well as how the company could most efficiently and effectively comply.

To get started, Serco determined how to best protect customer, employee and end-user data. Serco updated their privacy policies and procedures based on their GDPR roadmap and created a project team that includes a Data Protection Champion responsible for each contract.

Teaming up with OneTrust and partners to automate privacy processes

Serco recognized an excel-based process would not be manageable given the diverse number of systems the business works within and assets that handle personal data. Serco evaluated a number of tools and selected OneTrust to assist with their privacy program. They noted OneTrust had a unique set of capabilities and tools as well as the well-defined customer base and commitment to ongoing innovation.

"We needed a straight out-of-the-box solution that we could tweak and tailor to kickstart the data inventory process. OneTrust already had an expansive customer base as well as a structured formula to scale and operationalize our privacy program."


Emma Green, Data Governance Specialist

The Serco Data Protection Office got to work implementing OneTrust’s Data Mapping and Inventory tool to understand their data inventory and processing activities to identify gaps and track recommendations, evidence and approvals for remediating risk.

Serco also implemented OneTrust’s Assessment Automation tool to distribute privacy-related questionnaires and improved collaboration between the Data Protection Office, business leaders and customer contract Data Protection Champions. This framework was adopted to not only improve Serco’s privacy processes, but to serve as a way to better understand risks and add value to current work we do.

They later rolled out a GDPR training for over 400 managers, business leaders and Data Protection Champions. In doing so, Serco empowered employees across the business to understand that GDPR obligations and data protection is the responsibility of the entire company. OneTrust is an integral part of the company’s privacy operations and “to date, every single Serco contract has come into contact with the OneTrust portal at some point,” said Varcoe-Cocks.

"OneTrust is becoming even more interactive as the company invests more time into product innovation and regulatory research and this combined supports our privacy management goals."


Julie Varcoe-Cocks, Head of Ethics, Regulatory and Compliance and DPO

Identifying new and innovative ways to work within OneTrust

OneTrust has helped the business capitalize on increase company-wide privacy awareness.

Serco plans to improve upon and further standardize their privacy processes well into 2019, specifically as it relates to the standardization of DPIAs in the OneTrust tool to further identify privacy risk management best practices.

"OneTrust helps us understand good privacy practices. The attraction of OneTrust is that we can adapt our privacy assessments and data mapping to a centralized framework with deep privacy research built in to see where our data sits, the flow of this data, commonalities behind it, as well as what risks exist and how we should go about mitigation in the event of an incident."


Julie Varcoe-Cocks, Head of Ethics, Regulatory and Compliance and DPO

As the regulatory environment continues to develop, Serco understands data protection is an ongoing process. They are evaluating OneTrust’s cookie compliance and incident and breach modules to further automate regulatory obligations and are committed to enhancing not just how the business operates in terms of the GDPR, but holistically.


You may also like


Privacy Management

Managing data transfers within the UK & EU

Join our experts as we discuss ways to effectively manage data transfers between the UK & EU while staying compliant with the latest privacy regulations.

October 31, 2023

Learn more


Data Discovery & Security

A guided tour of OneTrust Data Discovery magic

Our expert speaker will demonstrate how common real-world data challenges can be identified, addressed, and reported on, leading to better data governance, security, and alignment with business goals. 

October 26, 2023

Learn more


Data Discovery & Security

Data minimization and risk assessment in data discovery

Explore the concept of data minimization and its crucial role in enhancing security, privacy, and reducing risk.

October 19, 2023

Learn more