Case study

RSM's global resources enable beverage leader to reach GDPR compliance

May 29, 2019
#
Food & beverage Cybersecurity consulting Regulatory compliance Cybersecurity

Overview

Our client is a leading European provider of integrated water and coffee solutions. The company currently has nearly 3,000 employees, and a distribution network across Europe that includes production facilities, a fleet of more than 1,000 service vehicles, and dozens of local water sources.

Background

With the European Union’s General Data Protection Regulation (GDPR) enforcement deadline approaching in May 2018, the company proactively sought outside assistance to get ahead of the GDPR and implement an effective compliance program. The company was required to comply with the new law because it has operations in 15 European Economic Area (EEA) countries and processes data for thousands of European clients. However, it did not have a complete grasp on what personal data it held that was subject to the GDPR, or how to achieve compliance with the new privacy obligations.

In many instances, companies try to evaluate and adjust their data processes internally, but do not understand the expansive scope of GDPR guidelines and the compliance challenges that often arise. Seemingly familiar terms, such as “personal data” and “processing,” have specific and broad meanings in the GDPR, and companies are not necessarily familiar with the appropriate definitions.

Project

RSM was chosen to help the company based on the team’s collaborative approach and proven experience with GDPR compliance, as well as its extensive, successful relationship in several key risk management areas with the company’s U.S. parent.

For the company, developing a governance structure was the first step to achieving GDPR compliance. Therefore, the RSM team initially established a project management office and steering committee to guide the significant amount of work necessary to adhere to the GDPR.

RSM then brought every key stakeholder that was responsible for GDPR compliance to the company’s European headquarters and led a daylong education and planning session. The session covered the full scope of the GDPR, including its implications and requirements, as well as initial projections for how business processes would need to change moving forward.

“Many stakeholders were unfamiliar with GDPR and didn’t really have a clear sense of how much it was going to affect the company,” said the client. “We don’t necessarily think of ourselves as a company that keeps personal data, so, on our own, we would have been thinking that this did not really affect us. Therefore, setting up that initial kickoff was paramount for us to define the scope of the project.”

Next, the RSM team led a thorough data mapping exercise. The business is highly distributed, with specific processes in each country, and no centralized data register existed that catalogued the quantity of data, its purpose, or its significance in the context of the GDPR. RSM worked with the organization at both a corporate and country level to understand what data the company held, how that data was used and, more importantly, why and how that data was processed.

“RSM conducted discovery sessions with all of the markets, thinking through what data they held that was affected by GDPR,” commented the client. “They considered the systems in place and spoke cross-functionally to the marketing and IT teams to understand the organization on an individual market level, where data was located, and how it was stored and used.”

Gathering the information was a complex process, with RSM leveraging its global footprint and ability to work efficiently in native languages on the ground in all countries, including the U.K., Germany, France and Poland, among others. This was an eye-opening exercise for the company, realizing how much data it truly possessed and the amount that was subject to GDPR requirements.

After understanding how much data the company had, RSM developed a GDPR gap assessment and detailed implementation plan to determine what was needed to fully achieve compliance. Nearly 200 individual items were evaluated, and RSM worked closely with company stakeholders to address any potential gaps and help create an effective GDPR compliance implementation framework.

For example, RSM evaluated the company’s websites and direct marketing strategies to determine how they conformed with GDPR guidelines and national laws. The regulation was designed to be uniform across Europe, but differences do exist between countries, since half of its articles defer to European Union member states for specific national implementation details.

In fact, much of the work RSM performed helped the company understand and comply with data privacy requirements not only from a broad GDPR level, but at an individual country level as well. RSM helped the company navigate decisions about where a Pan-European policy could meet the requirements, and where a national approach was required on a country-by-country basis. For example, for website cookies, RSM developed and implemented a strategy that aligned with the most stringent national regulation and applied that across all markets—which was more efficient than a country-by-country approach.

“In addition to learning what data we have and where it is kept, we learned a lot about our own business through the GDPR implementation,” said the client. “I think that we are much more attuned to the concept of data minimization now. Our data retention policies have been completely revamped as a result of the GDPR implementation, and we give far greater consideration to the risk profile of any company with whom we are contemplating a data processing agreement.”

GDPR compliance is a considerable undertaking, and many companies do not understand how much data they have or how the law will affect existing business processes. RSM collaborated with key stakeholders to revise and create policies and procedures and developed an effective compliance framework that can also serve as a basis for additional privacy regulations.

“RSM helped us build a sustainable compliance framework and emphasized that it was not enough to only exert effort leading up to the enforcement date; we have to maintain and supplement the information gathered during the project,” said the client. “This is a living, breathing regulation. If a regulator comes by six months or a year from now and wants to see what you’ve done in terms of GDPR compliance, you have to have something tangible to hand over. In addition, the framework developed for us by RSM is reusable and now being leveraged as we plan for the implementation of the California Consumer Privacy Act.”

Outcomes

In the end, RSM created a top-to-bottom, proactive GDPR compliance program, working hand-in-hand with the company. The RSM team collaborated with stakeholders to understand the company’s current processes and where enhancements needed to be made to align with the GDPR. The RSM team ultimately established a comprehensive data privacy foundation for the company, leveraging experienced resources in several countries to encourage compliance from a GDPR and individual country perspective.

Key benefits of RSM’s service for the client included:

  • A collaborative approach, working in close cooperation with client management and both internal and outside counsel to achieve compliance in the most efficient manner
  • Creation of an all-inclusive GDPR governance program, specifically tailored to the business
  • Development of an extensive gap assessment and implementation plan to address any data privacy vulnerabilities
  • Development of GDPR-compliant business processes across the organization
  • A thorough training program, enabling stakeholders to understand their GDPR roles and responsibilities
The relationship with RSM got us where we needed to be from a GDPR perspective, and that gives me comfort when I hear about compliance fines and the answers that the fined companies were unable to provide. I’m confident that we have those answers and can demonstrate that we have made every effort to be compliant, which is huge when it comes to GDPR.