We can help you reach the goals you’ve set for
your privacy compliance program through
innovative consulting projects led by one of
the world’s foremost experts in
privacy risk management.
Find out how we can help you today!
Case Studies
PrivacyClue provides a range of services to support privacy leaders, to extend the capabilities of privacy teams, and to fill emergent needs when teams or resources are stretched to their limits. Below are a few examples of projects we have undertaken for Fortune 500 firms
restructure A privacy program POST-merger
We are frequently brought in at various stages of merger and acquisition activity, from analyzing a business or market segment pre term sheet, to due diligence (virtual data rooms or on-site), to post acquisition integration plans. For example, we were engaged by a major medical device manufacturer to overhaul their privacy program following a merger that significantly increased their global footprint and added many more patient-facing lines of business.
Our tasks included:
Design a new data protection framework that accounted for all of the regions in which they had operations;
Create/revise Records of Processing (including data inventories and data flow maps in a digital data management tool) for all incoming product lines; revise existing data inventories for more than 50 existing data flows;
Conduct/revise Privacy Impact Assessments (and DPIAs where necessary) for all incoming product lines to align with the new framework;
Identify gaps in data-related policies and standard operating procedures, design a plan for creating/updating documentation and produce initial drafts, then project manage the feedback and completion;
Develop customer facing “datasheets” that explained data flows across 15 products and all data protection programs and measure in place;
Present to executive teams and to the Audit Committee of the Board the outcomes of our projects.
We delivered the project on a fixed price basis, delivered all components within our scheduled time frames, and were asked to provide a number of other services as a result of the positive experiences resulting in a multi-year relationship.
Conduct A company’s first comprehensive data inventory
We were engaged by the North American division of a major global electronics, medical device, and industrial materials manufacturer. This entity had more than 15 loosely-connected divisions with a huge variety of consumer-facing and B2B operations, including extensive healthcare-related operations. The parent organization provided basic administrative and HR functions, but every division had its own responsibilities for privacy, security, sales and marketing programs. The project was to conduct the first comprehensive data inventory across all of the companies as many of the divisions had done very little privacy program development.
We developed a project plan for a comprehensive data inventory project, identified the stakeholders needed within each organization, and assembled a small team of consultants to begin working in parallel. The project was originally scheduled for 120 days and there was no room for adjustment as the results needed to be delivered prior to an important corporate event. The project was also proposed on a fixed-price basis according to the scoping done at the outset.
The project was completed on time and exactly to budget. The end result was over 300 pages of risk analyses, data maps and inventory spreadsheets with accompanying digital records, a set of executive briefings and a prioritized project plan for Privacy Impact Assessments and Data Protection Impact Assessments (DPIAs) for all identified high-risk data processing activities. Based on the success of this project, we were engaged to support their newly-formed privacy team in their PIA/DPIA projects. We were subsequently engaged by their EMEA division to replicate the project in their regions in advance of the GDPR effective date.
Privacy Training and Privacy by Design ProgramS
We were engaged by a global pharmaceuticals manufacturer to develop a training program focusing on privacy, anti-spam, and behavioral advertising practices for their product marketing teams across eight business units. We designed the program based on the company’s data protection framework (which we had helped them develop in a previous project), and prepared both written, online, and in-person training materials. We delivered the training onsite in five locations around the globe and worked with their corporate communications team to create videos of the sessions for future delivery on demand.
This project included training and awareness of privacy requirements applicable to general product marketing activities, but we also worked with counsel to incorporate other compliance requirements mandated for the marketing of pharmaceuticals. For those staff engaged in developing campaigns, and for the product and engineering teams supporting various in-house and third-party marketing tools and platforms, we created a more formal Privacy by Design program. This program included development of a series of guidance documents, work flows, and questionnaires, designed to create a structure for incorporating privacy into the development of marketing campaigns and supporting tools.
The training materials were very well received, engagement with the audiences exceeded expectations, and the materials were used for many years with minor updates until the company was acquired and incorporated into another major firm.