The World Bank

The World Bank protects privacy while alleviating poverty

Exterior of buildings at sunset

The World Bank Group is the world’s largest development institution and is composed of five institutions. The World Bank strives to develop and implement sustainable solutions to reduce poverty and build shared prosperity in developing countries. In addition to this the World Bank is a major knowledge bank that collects, makes available, and disseminates information to help further their mission. 

With 189 member countries, staff in 170 countries, 130 global offices, and over 12,000 projects you can imagine that the World Bank manages their fair share of data to reach their targets. The communities and constituents they work with have entrusted mammoth amounts of data to them. 

Why does privacy matter to the World Bank?

Personal data is critical to this mission from conducting surveys, resettling refugees, finding solutions to Covid-19 mitigation efforts, or verifying borrower’s compliance with ESF requirements. While all data should be stewarded and handled with care you can imagine that the data collected by the World Bank contains highly sensitive information.

When serving vulnerable communities, such as refugees fleeing genocide or civil war, protecting their data from breaches and improper use is crucial. As a result, it was imperative that the World Bank built privacy into the DNA of their organization. Their projects must strike a balance between harm and interest while mainstreaming privacy.

“This isn’t always easy, but we can’t lose sight of the end goal for Privacy which is to maintain trust and transparency"


Tami Dokken, Chief Data Privacy Officer

Developing a unique privacy framework

While the World Bank Groups holds immunity from the myriad of data privacy laws and regulations around the world, they are still committed to protecting the data of the individuals they support as well as their staff.  To protect themselves from legal ramifications the World Bank Group has developed their own independent data privacy framework that is not biased towards any regulation or directive. 

The World Bank’s goals are to alleviate poverty and boost shared prosperity.  Data Privacy helps ensure that the personal data of the communities they work in are safeguarded and protected. There are a variety of reasons the World Bank decided to implement a self-imposed data protection framework. Tami recalls a project in Kenya and India, “The data subjects gave up money or their time for privacy protections. We found that privacy concerns are not limited to any demographics.

The World Bank Group’s Data Privacy Framework is based on seven high-level principles that govern the use of personal data by the World Bank’s Governing Institutions.  The framework applies to all personal data and all data subjects. These principles include: 

  • Legitimate, transparent, and fair processing  
  • Purpose limitation and data minimization 
  • Data accuracy 
  • Storage limitation 
  • Security  
  • Transfers to third-parties  
  • Accountability and data subject review

Building trust within the communities they serve

Many organizations are prioritizing trust as a key differentiator and the World Bank is championing these efforts. Privacy touches all aspects of life of the constituents they serve, and the communities they serve are particularly vulnerable. To fulfill their larger mission of building trust within the communities they serve is imperative. 

When developing their Data Privacy Framework, Tami and her team understood how important it was to incorporate an external accountability mechanism. Since the World Bank has immunity from regional laws and regulations this means that they would not have an assigned regulator. Data subjects can submit complaints to be evaluated and investigated based on a multi-tier approach. Thus, building trust with their clients and stakeholders on a deeper level and ensuring external accountability.

How does OneTrust support the World Bank’s privacy program 

The World Bank started their privacy program manually entering record processing activities into excel spreadsheets. Like many other organizations they soon realized that this was not sustainable and sought out a privacy management solution. They released an extensive RFP (Request for Proposal), and after a thorough review the World Bank determined OneTrust to have the best software capability to build their novel privacy program. 

The World Bank leverages several OneTrust modules to manage records of processing, privacy impact assessments, and data subject access requests. Through OneTrust’s cloud-based platform, the World Bank’s team across the globe easily utilizes the platform to automate and complete privacy-related tasks. 

Tami explained that to build privacy into the DNA of an organization privacy professionals should leverage a top-down approach and messaging is key. “We take a top-down approach to privacy with strong messaging and support from senior management. We also want to make sure our staff on the ground have the tools, that is where OneTrust comes in,” said Tami. 

OneTrust supports the World Bank’s campaign to ingrain privacy into the DNA of their organization in two major ways. The first is by using the Privacy Impact Assessments (PIA). By leveraging OneTrust’s automated templates, the World Bank’s employees around the world can operationalize privacy by design principles into all aspects of their work easily. This is essential to help team members identify and guide the use of personal information across the organization. By leveraging a PIA the organization can identify potential risks and establish procedures and systems to enable the privacy by design approach. 

Tami explained that the World Bank’s staff on the ground uses PIAs and DPIAs for, “basic self-assessments, for surveys, and for technology. These segue into the DPIAs if there is a higher risk, and we want to take a deeper dive.”

OneTrust modules used by the World Bank Group: 

  • Data Mapping –– Supports data controllers as they build and maintain an up-to-date mapping of their IT systems, business processes and third-parties, and the many-to-many relationships between.  
  • PIA/DPIA –– Leverage OneTrust’s library of customizable assessment templates, built by in-house experts, or customize your own to fit specific organizational workflows. 
  • Data Subject Access Request (DSAR) –– Automate task assignments start to finish, from validating identities, record updating, collection, redaction, and deletion of data, through a secure two-way communication portal. 

Looking ahead, the World Bank is working diligently with OneTrust’s implementation team to operationalize their Data Subject Access Request Portal that their staff and data subjects around the world will be able to utilize.

“Our staff all over the world can use the OneTrust platform it is seamless and easy to use. Our objective is to make all privacy related activities including DSAR request as seamless and easy as possible,”


Tami Dokken, Chief Privacy Officer

The World Bank has set the bar high for privacy standards and will continue to grow and adapt their privacy program with OneTrust there every step of the way. “OneTrust is a wonderful tool that is constantly growing, and the World Bank looks forward to growing alongside you,” said Tami. 

You may also like


Responsible AI

Unpacking the EU AI Act

Prepare your business for EU AI Act and other AI regulations with this expert webinar. We explore the Act's key points and requirements, building an AI compliance program, and staying ahead of the rapidly changing AI regulatory landscape.

July 12, 2023

Learn more


Consent & Preferences

Live demo: How to automate consent and preference management with OneTrust

In this webinar, we demonstrate how OneTrust Consent and Preferences helps build stronger customer relationships by providing transparency, giving users control over their data use, and delivering personalized experiences.

June 29, 2023

Learn more


Privacy Management

Unpacking the EU-US DPF

In this webinar, we cover the new EU-US Data Privacy Framework (EU-US DPF) and what privacy program managers need to know for post-Schrems II data transfers.

June 28, 2023

Learn more