CASE STUDY
Privacy Program at an Indian MNC in the Automotive and Services Space
Context
The group is a large Indian multinational in the automotive and other diversified services space, with multiple entities and operating in over 50 countries. Consequently, the group has exposure to multiple country-specific Privacy Laws & Regulations as well as specific sectoral laws in certain jurisdictions. To add to this complexity, regulatory oversight within the group is fragmented with several legal teams looking at different entities, none of whom has had any prior privacy experience. In this scenario, the group needed to establish and deploy a Privacy program that met their diverse stratified requirements in the most effective and optimal manner.
Approach
Arrka’s approach was tailored for their specific challenges. The overall approach recommended was to ‘take baby steps’ by starting with a pilot. With everyone new to Data Privacy as a concept, it was important to get all the stakeholders up the learning curve about what exactly this program was all about, the likely impact it would have on the business and, therefore, what plan of action would work best for the group. This approach was signed off by their Senior Management. Hence, as a first step, a Gap Assessment of two of their key businesses was conducted.
The learnings from this exercise were used to design a group-wide privacy program that could be rolled out in a phased as well as federated manner that would work best for the way the group is organized. A Central Group Data Privacy Office was established to serve as the Centre of Excellence as well as to drive and guide the program overall. Priorities and timelines for rolling out the program across the rest of the group were worked out based on the type of Business, Immediacy of exposure & Severity of Penalties.
Solution and Results
Conducted a “Law Mapping” exercise to identify common requirements across countries. Worked closely with the Central Legal team and local country legal partners to clarify complex requirements.
Developed Personal Data Inventory for all Data Subject Types (Customers, Employees, Dealers, Dealer Employees, Vendors).
Customized “Light” Assessments for Smaller entities and avoided a “One Size Fits All” approach
Developed a Central Repository of 100+ Privacy Policies, Procedures, Templates
Entities “adapted” processes from the Central Repository to accelerate implementation
Identified all “Vehicular Data” and controls
Identified “Data Center” locations to meet adequacy requirements across laws.
Worked closely with cross functional teams from Legal, Marketing, IT, CX etc. to finalize “Consent” requirements
Benefits
Ensured Compliance to Privacy laws across 90+ countries
Setup Privacy COE within 1.5 years.
Enabled Privacy Compliance to the RBI Digital Lending Guidelines within 3 months
Trained 200+ Team members on Privacy Compliance
Embedded Privacy into the Vendor Due Diligence process
Helped the Digital Product arm to develop Privacy Compliant products to be sold to 3rd Parties