Case Study: Healthspan

How easily maintainable records enabled the UK’s largest online supplements provider to exceed their privacy goals, and reduce subject request handling time to 2 days

Estee Watchorn came in as the DPO for Healthspan in the summer of 2019, and was tasked with organising the kind of huge batches of personal data that many online businesses face.  We caught up with her to learn how she came to understand which specific challenges the team was facing, and how she tackled finding the right tools. 

Could you give us a short introduction to Healthspan, your role, and what sort of personal data your organization processes?

I work for a retail company called Healthspan. It’s the UK’s largest mail-order supplier of vitamins, minerals, and health supplements. It was established by Derek Coates in 1996 and the company is based in Guernsey in the Channel Islands. The main client data that we deal with would be full names, addresses, email addresses, telephone numbers and that’s pretty much the majority of it. I still consider myself a newly appointed DPO, but I’ve grown significantly with the role over the past year.

What would you say has been your greatest privacy and data protection challenge so far?

I started in the position in August of last year and the biggest challenge by far was data mapping and inventory. I did not know where to start, what to ask, or even who to ask. Information was all over the place in different formats and was very often incomplete. There was an existing record of processing inventory in spreadsheets, but it was outdated and extremely hard to maintain. Our records were especially inconsistent when it came to processing flows (basically understanding and documenting the varying ways personal data is used throughout the business). Different departments had vastly different processes in place. In marketing, for example, there existed plenty of systems that nobody in other parts of the business had even heard of. It was eye-opening. 

Even for quite structured initiatives like DPIAs, there were so many competing templates. I felt very strongly that personnel in the company were being asked the same questions over and over again, and that the department had not been efficient in the use of external stakeholders’ time. 

How did you manage privacy and data protection before switching to DPOrganizer?

Word documents, emails, spreadsheets, you name it. Everything was spread out in a bunch of different locations. It truly was a nightmare. Especially when it came to uniting multiple compliance obligations, such as IT security compliance and incident reporting requirements, having information spread out in multiple locations and across multiple departments negatively impacted our ability to combine privacy and IT compliance efforts efficiently and to collaborate over information both IT security and privacy teams required.

Was there a specific point when you decided to explore privacy management solutions like DPOrganizer?

When I was appointed as the DPO I started looking into the processing activities the company carries out and all the information that required managing and structuring. I felt incredibly overwhelmed. Luckily, I had as my first task from the Chief Information Security Officer to look for a possible solution that could help us centralise our work. I immediately started hunting for solutions. I was after structure and searched for a platform that was simple to use, that would structure our work, and that would also help us as an organization to ask the right questions about GDPR. We needed a framework to approach our privacy tasks with. I needed to familiarize myself with the type of inquiries I needed to make into the processing activities of each department. At the same time, I also needed a tool that would standardise how all the information I was gathering was documented. For me, getting a tool that helped me build that structure effortlessly while being easy to use and easy to learn was vital.

However, upon seeing a lot of the tools out there I panicked. Most tools were overly complex, too expensive, or offered features that most businesses like ours just plainly didn’t need. 

I came upon the DPOrganizer and I was immediately intrigued with the simplicity and the built-in structure that it had to offer. The price tag was quite appropriate for us as well. In that way it was the perfect mix of functionality and price, and truly embodied what we needed at that point in time, as well as what I needed as a DPO to carry out and develop in my role. 

I would recommend the software over and over and over again for anybody who’s just getting started in the field.

In what areas of your privacy program has DPOrganizer delivered the most value? Do you have a favourite feature? 

Actually, when I just started to really dig into our privacy work, we had suffered a minor breach. I immediately began to investigate who the breach needed to be reported to, how it should be documented, and whether I needed to alert the DPA. DPOrganizer’s tool guided me perfectly through this incident and made it easy to see where the affected data was located and to evaluate what parties needed to be informed. In fact, it’s been these guided flows throughout the entire application that really help me to be thorough in carrying out my work. I often spot gaps one wouldn’t normally see when using Excel for example. 

In terms of overall reporting as well, it becomes very easy and quick to provide relevant stakeholders with the type of information they request and to explain or provide further details on processing activities, as well as what sort of data subject requests we receive. Whenever I involve colleagues from outside the privacy team using DPOrganizer I often get a remark like “oh gosh this is so simple to use”. It’s so easy for me to send processing reviews off to the relevant persons, and more importantly, it’s very easy for these persons to then go into the tool and edit the information I am looking for.

Ultimately, what I love about DPOrganizer is that I am so comfortable with asking for help from both your Product and Customer Success teams. Even when there haven’t been immediate solutions to my requests, the team always provides an interim solution until a stable one can be provided. I really treasure using a tool that is constantly evolving and improving to help me succeed in my role. 

Lately, I’ve been excited to put myself forward to help with the development of the E-Learning feature as well. As a privacy professional passionate about learning, teaching, and raising awareness for privacy, it’s great to be involved in the development of yet another feature that will help us train our organisation, while maximising the impact of our privacy work.

Are there any specific areas where you’ve seen improvement in your privacy efforts after implementing DPOrganizer?

When it comes to data subject requests it now only takes me about 2 days to respond to a right to erasure request when all the right stakeholders are available. This is a huge win for our business. We already know where all the information lies and it’s very easy to zoom in and find all the details on the relevant data required to complete requests.

When it comes to processing flows, I’ve been extremely efficient now at progressing through and documenting the varying ways we process data at our organization. Having an accurate, easy to manage ROPA in place was a huge concern of ours. Being able to make such strides with this challenge in so short a time is a windfall for our business. Especially because we are planning to scale to other countries, having all our records in place and being able to update them at scale means that our data protection efforts can grow with and support the business throughout its expansion.

If you could give advice to anybody who’s looking for tools right now, how would you advise them to start and are there any tips that you’ve learned from going through the process yourself?

My advice, first of all, would be to really understand what the things are that you struggle with and to know what your limits are in terms of cost. The moment when you know what your struggles are you will know exactly what to look for in terms of how to address it and the exact features you require. In this way, you can also avoid solutions that are too complex or too big for your specific challenges. When it came to DPOrganizer as well, I just knew that this was the solution that was right for us because it resonated with our challenges and was committed to helping us grow out of them.

Industry 
Vitamins/health supplements, e-commerce

Company Size
Circa 200 employees

Location(s)
Headquartered in Guernsey, United Kingdom

Favourite DPOrganizer Features