Compliance documentation concerning privacy and data protection within international organizations and companies in business groups is often duplicated. The same information or fields are constantly managed and updated by different people within various legal entities. A central solution can reduce this unnecessary amount of work and uncertainty.
A central solution means that the privacy documentation can work by using library elements shared within a group of companies. For example, the headquarter buys an SAP solution and provides all necessary information regarding the processing, the data storage, the technical and organizational measures, and the risk assessment within this SAP solution. This information can be made available to each entity within the group without the need for each entity to collect, edit, update, and document this information separately.
If central elements of the library change, e.g., the data storage location of the SAP solution, the headquarter managing the library record can update it and push it to all other legal entities. The other legal entities can then see a flag, get a notice on this change, and trigger their processes to change specific notices that might be required or ultimately approve the changes and update their records.
The same is valid for vendor assessments. Suppose a legal entity assesses a vendor regarding the cyber security maturity or privacy and data protection compliance. Other companies within the group can use this already curated, audited, and documented information. By sharing audit information between the entities of one group, synergies can be set free.
Using the performance modules provided by the Priverion platform, it is possible to use shared privacy data protection or cyber security assessments of vendors for all customers. For instance, if a company such as Adidas has already assessed a vendor for cyber security maturity using a cyber security standard or evaluation, that information can be made available to another company.
Considering the age of the previous assessment, the other company can then decide, based on the criticality of the vendor, whether to use the first company’s evaluation or engage in a separate vendor assessment. This reduces costs for consultants who are usually used to conducting the interviews and assessments and frees up OpEx that the company can then invest in improving processes in other areas.