“We are stewards of our customer’s data,” said Chief Compliance Officer, Peter Heming, who was put in charge of the company’s GDPR efforts. “We don’t own it, it belongs to our customers, and they trust us to protect it.”

Browsing for the perfect GDPR and global privacy partner

Heming began his GDPR efforts in late 2017 and started by reading the letter of the law – literally. He read the GDPR text cover to cover four times before mapping out a plan to tackle the regulation’s demands.

“I am a firm believe that you can never do enough planning on implementing a project like the GDPR,” said Heming. To start the project, Heming brought together a steering committee of various representatives across the company to tackle the challenge.

With the countdown to the GDPR enforcement date quickly approaching and the realization that the problem was too complex to build a home-grown solution, Heming determined a third-party partner would best suit the needs of Web.com.

The Web.com team evaluated a number of vendors and consultants to help with GDPR compliance. Many vendors the team evaluated were either too narrow in their approach, didn’t understand the various nuances of the Web.com business, or couldn’t provide a comprehensive approach to GDPR and global privacy laws, said Heming. After an extensive vetting process, there was a clear frontrunner.

“It wasn’t a hard decision to select OneTrust,” said Heming.

The team chose OneTrust because the technology could adapt to the Web.com business as a controller and processor, it was flexible to adjust to various requirements of different global privacy requirements, the platform was intuitive and OneTrust could provide a quick implementation process.

“I’ve implemented a lot of projects form a vendor and company perspective, and ease of implementation is critical,” said Heming. “We signed with OneTrust in March and were ready to go live prior to the May 25 GDPR deadline. This rapid deployment was critical to our project’s success.”

The gateway to a comprehensive privacy program

Web.com leverages a host of OneTrust modules for a comprehensive, global privacy program.

Web.com has multiple consent collection points across its web properties. Heming determined which of their communications – transactions, direct marketing, general marketing, etc. – required consent and which could be considered legitimate interest. He then used OneTrust’s Consent and Preference Management module to manage the various collection points and user preferences.

“OneTrust enabled us to customize consent on storefronts and landing pages,” said Heming.

The Web.com team also uses OneTrust’s Cookie Consent Management module for its cookie consent and preference center and are actively implementing the customizable banners across their websites.

Through the OneTrust Data Subject Access Request (DSAR) portal, Web.com is able to operationalize the dozens of subject rights requests it gets per month. The company has two DSAR portals, one for affiliates and another for customers. Since Web.com’s affiliate resellers are controllers of data (and Web.com is the processor), affiliates can use OneTrust to submit DSAR requests on behalf of their customers.

“OneTrust’s DSAR portal is effective, easy to use and engaging for our customers,” said Heming.

One of the benefits of using OneTrust for marketing compliance purposes is a complete record and audit trail for consent and subject requests. In fact, two DSAR requests have been escalated to two separate EU-country DPAs. Heming’s team has used the OneTrust to provide a full audit trail to DPAs that the contested subject requests had been sufficiently fulfilled.

“We had a fully documented audit trail and were able to look back at the request, provide evidence of communications, prove we removed all the data we didn’t need to retain of other regulatory purposes. The DPA accepted it and closed the case,” explained Heming.

Web.com also uses OneTrust for assessment automation (PIAs/DPIAs) and data mapping. “OneTrust allows us to understand our data flows, create documentation and generate Article 30 reports for regulators, this is critical for us.”

For assessments, Web.com is able to integrate with JIRA. If a risk is identified in JIRA that’s associated with personal data, it kicks off a simple five-question PIA in OneTrust for a DPO to complete.