Cybersecurity: GDPR of marketing department in US-based beverage company
Challenge
As part of its operations, the Marketing department of a large US-based beverage company collected and processed large amounts of personal data on customers in multiple countries. Because some of their operations fell under the jurisdiction of the European Union, they needed to assess their operational compliance with the privacy policy rules under the EU’s General Data Protection Regulation (GDPR).
In particular, they were concerned about being fined for non-compliance, or losing market share if they were subjected to sanctions requiring them to temporarily cease operations. They also recognized that if they were found not to be compliant, other compliant companies would not do business with them.
The company initially tried to do this assessment in house. However, it was taking 30 days to respond to Data Subject Rights requests (DSR), which was the maximum time allowed by law, when it should have taken only two days to respond. It was also taking an average of 200 work hours to complete each DSR, instead of the eight hours or less that was budgeted.
As a result, qualified resources were being exhausted, and they would be stressed even further with an expected increase in demand – which, in itself, could result in an investigation and a potential fine.
Making matters worse, the company’s IT systems were located in multiple regions, causing an additional challenge, because evaluating the infrastructure of all subsidiaries was within the project scope.
How Mazars helped:
The company asked Mazars to assist in developing a viable DSR program, based on IT-related auditing and consulting work that Mazars had done for them in the past.
In less than four weeks, Mazars, working together with the client’s IT, Compliance and Legal departments, developed a GDPR compliant DSR program that enabled the company to perform DSR’s on 20+ selected systems within one week, in less than 40 working hours – a fraction of the time it had previously taken them.
Results:
By adopting Mazars’s approach, the company was able to perform roughly five DSRs per month using only one person, instead of four to five people per DSR. Given that the subject matter expertise required to complete DSRs is an expensive resource (roughly $150k-$200k per FTE), the customer was able to avoid hiring an additional six resources, creating a savings in excess of $1 million annually.
And, best of all, the company’s senior executives now have a high level of comfort that the risk of fines, and the associated impact on the brand’s reputation, have been minimized.
The information provided here is for general guidance only, and does not constitute the provision of tax advice, accounting services, investment advice, legal advice, or professional consulting of any kind. The information provided herein should not be used as a substitute for consultation with professional tax, accounting, legal or other competent advisers.