The Institute of Brewing & Distilling (IBD) began its life as ‘The Laboratory Club’ in 1886 and, after various transitions, took its current name in 2005. The IBD provides membership services to brewing and distilling professionals globally and provides learning opportunity and professional qualifications with c. 4,000 exam registrations every year. The IBD now has members in 100 different countries and aims to create a community of brewers and distillers to support networking and the dissemination of knowledge.
The IBD recognised the need to protect its customers and other stakeholders by implementing a robust data privacy regime to be compliant with the General Data Protection Regulations (GDPR). The IBD chose to partner with Equantiis to support its GDPR transformation.
Like many membership organisations, the IBD has been running for many years, predating the digital environment we now operate in and has been through a number of organisational changes over the years. The way in which data were being managed had developed organically over time to meet the current requirements and challenges facing the organisation. Additionally, the IBD recognised that some of the technology in operation would not be capable of supporting GDPR requirements around the deletion of data and consent.
The IBD recognised the need to identify gaps in its current level of compliance with the GDPR and to become equipped with a prioritised plan of action to remedy those gaps. Being a small organisation in terms of number of employees, the IBD also recognised the need for support from a third–party to implement the plan.
The IBD selected Equantiis to deliver this project, and leveraged Equantiis’ GDPR Maturity Assessment tools to support benchmarking compliance against regulatory readiness and maturity within similar organisations. Equantiis’ approach to GDPR draws on its legal, business and technology expertise, all of which were important to the IBD for successful implementation of a robust data privacy regime.
Equantiis undertook two core, related pieces of work with the IBD to support the requirement to become GDPR compliant:
- GDPR Maturity Assessment
- GDPR Transformation Consultancy
GDPR Maturity Assessment
Equantiis began the project by interviewing key members of IBDs’ staff with two goals:
- To validate and raise the level of awareness of data privacy across the organisation
- To gather qualitative data as part of a comprehensive discovery exercise that assessed the IBD’s current data governance; processes; policies; and technology; for compliance.
Separately, Equantiis worked with the IBD to gather quantitative data on the same themes and conducted documentary analysis.
This multifaceted approach allowed Equantiis to identify gaps and areas of excellence within current practices, policies and technology and to develop a Transformation Roadmap – providing a clear and concise route to improving GDPR compliance.
GDPR Transformation Consultancy
Subsequently, the IBD partnered with Equantiis to provide the support they needed to be able to implement a data privacy regime to meet the requirements of the GDPR, as identified in the Transformation Roadmap.
This included supporting the IBD in: the identification and recording of processing activity; conducting Data Protection Impact Assessments and Legitimate Interest Assessments; producing policy, procedure and privacy notices; third party analysis; process change; implementing compliant consent; and providing custom training.
As a result of partnering with Equantiis, the IBD was able to quickly understand the gaps, risk and opportunity in its current processes, policies and technology. More importantly, the IBD was able to understand its obligations and work towards a clearly defined list of the steps required to reach compliance.
Equantiis’ approach to GDPR enabled the IBD to:
- Understand the gaps, risks and opportunities in current business practices in relation to data privacy.
- Implement a clear roadmap of actionable tasks to transform business practices to improve GDPR compliance.
- Identify and record the personal data being processed across the organisation, including within regional volunteer groups.
- Implement the necessary policy, procedure, process change and training to support GDPR compliance.