Our client is a leading business in the UK water sector and a FTSE 250 company, providing clean water and wastewater services to over 3 million people and 300,000 businesses.
In 2021, they were looking to increase the maturity of data protection across their organisation, as well as expand their Data Privacy team. While their Data Privacy team had identified several areas that could be improved, they lacked the resource to make these changes without first being able to demonstrate the value to the wider business.
The Challenge
In 2021, before working with Bridewell, our client had a relatively small data privacy team. While there was no question of their compliance, there were areas where they'd identified scope for improvement within data protection. At the time, Data Subject Access Rights Request (DSARs) were spread out across the business and not being handled consistently, their DSaaS wasn’t centralised, and their Records of Processing Activities (ROPA) needed an update.
However, since they didn’t have the resources to implement improvements, they first needed to expand the team. This required educating the wider business about data privacy in order to secure the resources needed for a larger data privacy function. Having worked with Bridewell previously, our client chose to work with us to support in assessing their maturity, recommending improvements, and engaging the wider business.
The Solution
To help our client enhance data protection across their organisation, we first delivered a data privacy maturity assessment in 2021. Our report made detailed recommendations on areas in which our client could improve, providing their data privacy team with clear evidence and rationale for the need for greater resources.
The data privacy team found that the report was a valuable asset as it helped them secure buy-in from the wider business, enabling them to access the resources needed to enhance their data privacy programme. Based on the report findings, our client subsequently brought us on to help update their ROPA and put processes in place to ensure it was updated more regularly. We also performed a data mapping exercise in 2022 for both our client and one of their subsidiary businesses that provides billing and customer services.
Through the exercise, their ROPA was refreshed and automated via workflows in OneTrust. This required deep dive workshops with each business area to understand our client's personal data processing activities. We then provided technical support with importing the outputs of the sessions into OneTrust, which provided our client with the platform to streamline it’s approach to maintaining its accountability documentation through automation.
Through the engagements, we had regular communications with our clients key stakeholders, providing them with clarity on how the project would progress, what we'd deliver, and what was needed from their side. Later in 2022, we also worked with our client to implement an internal audit approach aligned to ISO 27701 for second line assurance, enabling them to oversee their risk management and compliance functions and audit high risk areas of the business.
The Results
Today, our client has a mature data privacy function with a much expanded team of data privacy professionals. With this additional resource, the team are able to undertake a number of workstreams for data protection so that maturity is constantly improving.
Our client is a leading business in the UK water sector and a FTSE 250 company, providing clean water and wastewater to over 3 million people and 300,000 businesses.
