- Cookie Consent and Website Scanning
- Data Mapping Automation
- PIA & DPIA Automation
Virtuoso’s Technology-Powered Approach to GDPR Compliance with OneTrust
Virtuoso is a network of the luxury travel agencies that connects travelers to the best travel agents. With more than 17,500 advisors and nearly 1,700 preferred partners, including top hotels, cruise lines, tour operators, and more.
Virtuoso’s business spans countries and continents, much like the travelers they service, which made their approach to privacy and compliance with the General Data Protection Regulation (GDPR) a unique opportunity to demonstrate compliance to their network of agents and partners and educate them on data protection best practices.
Partnering with OneTrust to address multiple data protection challenges
There are several areas within the Virtuoso business that processes personal information. Network members share data with Virtuoso, such as bookings and client information to enjoy the benefits provided by various Virtuoso programs/services. Virtuoso provides their own booking tools through which customers or travel agents submit their own bookings. Agencies and suppliers also share data back and forth.
“We must maintain a high trust relationship with our members,” said Josh Mason, VP of Engineering at Virtuoso. “Knowing that we’re the stewards for someone else’s data, we have to manage, protect and ensure data is handled in the right way.”
Virtuoso realized the importance of leveraging a comprehensive privacy management tool like OneTrust for assessment automation, data mapping, cookie consent and ongoing GDPR-related updates and maintenance.
“OneTrust makes life easier,” said Rekha Kothamachu, the Director of Data integration and reporting at Virtuoso. “If there’s a change to an application or process, through OneTrust everyone involved is aware of the change and can determine if one change causes other data impacts.”
Virtuoso also provides its network of travel agents the option to white label their website for their own business. With thousands of agent websites under the Virtuoso domain, cookie compliance and website scanning is a critical area for their privacy efforts. The Virtuoso privacy team implemented the OneTrust cookie banner and preference center on the main Virtuoso site and hundreds of agent’s sites.
The best part, according to Mason, is the automated scanning and auditing. “OneTrust scans our website and audits us to ensure that if there are new cookies or anything added, those get raised to us to classify and update our privacy/cookie policies. I don’t have to be dependent on engineers working on the product to let us know that cookie changes were made.” he said.
Educating a massive, global network on GDPR
Virtuoso recognized that privacy should not be delegated to one department, but be an organization-wide initiative, and ongoing trainings and education was important to the success of their data privacy initiative. Virtuoso embarked on an education campaign for both staff and members/suppliers to have ownership over their role in keeping data protected. Their goal was to create a share vision for privacy and make it an ongoing part of the company culture.
“Everyone in the entire organization, from reception to sales to engineers, all need to understand what the compliancy rules are and what the laws are for data privacy,” said Mason.
For members and suppliers, Virtuoso partnered with OneTrust’s in-house privacy counsel to host webinars to educate them on the GDPR, its scope and how their businesses may need to change due to the new regulation.
“It’s not just about our agent’s contacts in Europe, it’s everything that they have access to that may fall under the scope of GDPR,” said Kothamachu. “These concepts can take a while to fully understand, so we’ve had constant communications with staff to address lingering questions and clarify their responsibilities under the GDPR.”
Now that GDPR is in effect and ongoing regulation changes are happening globally, Virtuoso is continuing to train employees, members and partners with the help of OneTrust around generic GDPR concepts.
Ongoing efforts for global privacy protection
The Virtuoso team understands GDPR and data protection is an ongoing process. They plan to use OneTrust to intake data subject requests and will leverage other technology systems to automate some of the back-end processes required under GDPR.
“You need to have a streamlined process to comply with the advanced timelines of GDPR,” said Mason, with regards to the GDPR’s 72-hour notification timelines. “The tooling and automation is critical to meeting those timelines.”
GDPR preparation allowed Virtuoso to demonstrate that they have the processes in place to safely collect, store and process personal information. Virtuoso’s GDPR initiative provided an opportunity for Virtuoso to provide reassurance that data protection is an important pillar for the company.
© 2019 OneTrust, LLC. All Rights Reserved.