GDPR, Privacy & Compliance: Successful Configuration of OneTrust Platform at Alfasigma
Being one of the Italian top five pharmaceutical companies, Alfasigma has achieved a turnover of almost 1 billion Euros in 2021.
The company was established in 2017 from the merger between Alfa Wassermann and Sigma-Tau. Currently, Alfasigma has around 3.000 employees worldwide, 17 direct branches, and – through top distributors – its presence spreads over more than 70 countries.
About the Project
Alfasigma requires handling sensitive collaborators, customers, and suppliers’ data to provide their services. Since Alfasigma and most partners and customers are based in Europe, General Data Protection Regulation (GDPR) applies to them. Given that Alfasigma and its partners process the personal data of European citizens for business purposes, they must be compliant according to the GDPR.
To manage GDPR requirements and privacy processes, Alfasigma chose OneTrust, one of the best privacy management resources in the world. We helped them in configuring and customizing the modules of the OneTrust Platform for automation of the record of processing activities. With the configuration of OneTrust modules, we also helped Alfasigma mitigate the vulnerabilities of their existing processes.
Alfasigma acquired the license of the OneTrust Privacy Management tool and started to configure and use it. This tool is built for Privacy, Security, and Data Governance, and it automates critical processes to empower the IT and the legal team of the collaborating organization. Alfasigma acquired the license of several other OneTrust modules. Among those, we helped them configure all OneTrust modules our customer needed to address its impelling GDPR and Privacy requirements and access the OneTrust platform in more efficient ways.
As the modules were not configured as per the needs of processes, Alfasigma still relied on traditional methods for recording processing activities. These methods mainly included the use of excel files for record-keeping and collection, which can be vulnerable to several human-made errors and difficult to maintain up-to-date and share within the company. They needed to configure the OneTrust modules to completely automate the processes and eliminate all the processes’ vulnerabilities.
The information on processing activities, systems in use, and related vendors were available, but they were not linked effectively.
Also, as Alfasigma is a group of several companies within Europe, configuring the platform to fit the group’s needs helped centralize and export the model to all the companies.
OneTrust is one of the most widely used platforms providing regulatory intelligence, automation, and flexible solutions that operationalize privacy programs. The modules of the OneTrust platform collect and process the incoming information in a more articulated manner. In a way, these modules automate respective processes and make it easy to access the information.
For our team, Alfasigma was a unique case where they not just implemented the modules of OneTrust Privacy but also started configuring them according to their need. So, we incorporated our solutions in the following steps:
Configuration of OneTrust Modules:
The work at Alfasigma began with an analysis of the current situation. Our team completed this work in the following stages:
- Analysis of the attributes of the Data Protection Framework to understand the As-Is Record of Processing Activities (RoPA), Risk Analysis, Control Framework
- Analysis of OneTrust features and attributes focuses on the Data Mapping module, Assessment Automation Module, to define To-Be models and identify the relevant tool gaps.
- Configuration and set-up phase related to the Organizational Structure, Attribute management, Questionnaires (Assessments).
- After the preparatory work was done, we started working on the configuration of OneTrust modules to streamline the data collection from all Alfasigma business units.
The list of modules we configured (during the following projects) is as follows:
- Assessment Automation
- Data Subject Requests
- Vendor Risk management
- Data mapping
- Cookie compliance
- Policy and notice management
We started with data mapping and assessment, then configured all other modules through integrations with other platforms (e.g., Consent management).
Now, the modules of OneTrust come with standard settings, which may require further customization according to the need of users. Therefore, we explicitly worked on each module to configure them as per the needs of Alfasigma processes.
Also, we were involved in vendor privacy compliance management, where we provided our support on the management of DPA, SCCs, etc., all through the OneTrust platform.
Migration of Data
We also shifted the data from Excel files to OneTrust databases. This step standardized all the activities and made Alfasigma compliant according to the GDPR guidelines:
- Making a collective record of existing data, which was in the form of excels files at that point
- Massive Data entry (migration) of Processing Activities, Assets (Systems), Legal Entities in scope, User List, Managing Organization hierarchy
- At the end of the activity, we also performed User Acceptance Test (UAT) and training sessions.
How the Solution Helped
Successful configuration of OneTrust modules according to the need of Alfasigma led to the following primary benefits,
- Increased efficiency due to customized OneTrust modules as per the operational requirements
- Total independence from manual data management, i.e., excel files
- Automation of the Record of Processing Activities
- Establishment of a functioning system detecting new processing activities and/or maintaining existing ones
Development of the Websites’ Privacy Ecosystem:
We are also working along Alfasigma on the website’s privacy aspects. We established a Privacy ecosystem based on a defined set of Golden Rules on corporate and product websites by collecting and managing consent from employees and Alfasigma’s consumers. This Privacy Ecosystem mainly included handling cookie banners, policies and notices, consents, and data subject’s rights.
Building trust in the platform’s use, fitting their needs, and achieving their desired results helped the client explore the other available functionalities and use OneTrust as a Privacy center.