Our client is a leading European provider of integrated water and coffee solutions. The company currently has nearly 3,000 employees, and a distribution network across Europe that includes production facilities, a fleet of more than 1,000 service vehicles, and dozens of local water sources.
With the European Union’s General Data Protection Regulation (GDPR) enforcement deadline approaching in May 2018, the company proactively sought outside assistance to get ahead of the GDPR and implement an effective compliance program. The company was required to comply with the new law because it has operations in 15 European Economic Area (EEA) countries and processes data for thousands of European clients. However, it did not have a complete grasp on what personal data it held that was subject to the GDPR, or how to achieve compliance with the new privacy obligations.
In many instances, companies try to evaluate and adjust their data processes internally, but do not understand the expansive scope of GDPR guidelines and the compliance challenges that often arise. Seemingly familiar terms, such as “personal data” and “processing,” have specific and broad meanings in the GDPR, and companies are not necessarily familiar with the appropriate definitions.
RSM was chosen to help the company based on the team’s collaborative approach and proven experience with GDPR compliance, as well as its extensive, successful relationship in several key risk management areas with the company’s U.S. parent.
For the company, developing a governance structure was the first step to achieving GDPR compliance. Therefore, the RSM team initially established a project management office and steering committee to guide the significant amount of work necessary to adhere to the GDPR.
RSM then brought every key stakeholder that was responsible for GDPR compliance to the company’s European headquarters and led a daylong education and planning session. The session covered the full scope of the GDPR, including its implications and requirements, as well as initial projections for how business processes would need to change moving forward.
“Many stakeholders were unfamiliar with GDPR and didn’t really have a clear sense of how much it was going to affect the company,” said the client. “We don’t necessarily think of ourselves as a company that keeps personal data, so, on our own, we would have been thinking that this did not really affect us. Therefore, setting up that initial kickoff was paramount for us to define the scope of the project.”
Next, the RSM team led a thorough data mapping exercise. The business is highly distributed, with specific processes in each country, and no centralized data register existed that catalogued the quantity of data, its purpose, or its significance in the context of the GDPR. RSM worked with the organization at both a corporate and country level to understand what data the company held, how that data was used and, more importantly, why and how that data was processed.
“RSM conducted discovery sessions with all of the markets, thinking through what data they held that was affected by GDPR,” commented the client. “They considered the systems in place and spoke cross-functionally to the marketing and IT teams to understand the organization on an individual market level, where data was located, and how it was stored and used.”
Gathering the information was a complex process, with RSM leveraging its global footprint and ability to work efficiently in native languages on the ground in all countries, including the U.K., Germany, France and Poland, among others. This was an eye-opening exercise for the company, realizing how much data it truly possessed and the amount that was subject to GDPR requirements.