Skip links
ECIX TECH

Comprehensive privacy governance with ePrivacy

Challenge

A powerful Spanish multinational group in the construction, infrastructure, public services and real estate sectorwith hundreds of companies and presence in multiple territories, faced a growing privacy challenge:

  • Demanding regulatory frameworks (RGPD, LOPDGDD and sectorial regulations).
  • A highly complex organisational modelwith subsidiaries, joint ventures and investee companies.
  • A centralised corporate governancebut with highly decentralised operations. Privacy management was supported by corporate policies and tools.
The fact that they were dispersed made it difficult:
  • Maintain a Register of Treatment Activities (RAT) complete and up to date for the whole group.
  • Coordinate Impact Assessments (IAIAs), responses to stakeholder rights and gap management.
  • Aligning all companies in the group under the same homogeneous compliance criteria and evidence.
The organisation needed a global and operational solutionThe aim was to move from a reactive and documentary approach to a structured model of integrated privacy management.

Approach

ECIX Tech designed and implemented a service Legal Group Privacy Operationssupported in the solution ePrivacy as a corporate platform. The approach was articulated at three levels:

  1. Privacy governance and operating model
    • Definition of a corporate governance framework which combined central (corporate) management with local privacy roles in subsidiaries and business units.
    • Establishment of roles and responsibilities (corporate DPOs, local managers, area coordinators) and workflows between them.
  2. Deployment of ePrivacy as a global solution
    • ePrivacy settings such as single platform for the whole groupwith views and permissions by society.
    • Consolidation of the Register of Treatment ActivitiesThe system allows you to manage treatments by company, area and process.
    • Implementation of modules for:
      • EIPD and risk analysis in high-impact treatments.
      • Management of data subjects' rights (ARCO-POL) with full traceability of deadlines and responses.
      • Management of data processors and contracts with third parties.
      • Registration and monitoring of security incidents and breaches.
  3. Legal Operations and continued accompaniment
    • Legal Operations Support from ECIX Tech for operating ePrivacy on a day-to-day basis: review of treatments, support in EIPD, definition of templates and common criteria.
    • Training for key teams in the group to consolidate a homogeneous working modelregardless of company or country.

Results

The combination of the Legal Operations service and the implementation of the ePrivacy as a corporate solution enabled the business group:

  • To have for the first time a complete and centralised map of personal data processing in all group companies.
  • Standardising privacy criteria and processesensuring that all companies apply the same rules, templates and standards.
  • Significantly reduce the manual effort involved in collecting information, consolidating excels and preparing reports, replacing it by automated flows and single records in ePrivacy.
  • Improve the responsiveness to internal audits, customers and control authoritiesThe company is able to provide traceability and the immediate availability of evidence of compliance.
  • Reinforcing the role of the corporation as a privacy governance and coordination centrewithout losing the involvement of the operating companies in the day-to-day management.
Overall, the project transformed the privacy in the group into a managed, measurable and governable processePrivacy as its technological backbone and a Legal Operations model that guarantees its sustained operation over time.

Learn more about Client Stories

See more