Enhancing data rights governance for a global battery recycling leader
As a global leader in battery recycling and lead production, our client processes a vast amount of personal data, including that from employees, suppliers, and customers. As such, ensuring compliance with different, evolving data protection regulations, particularly in the EU and US, is paramount, including the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA).
The сhallenge
The company reached out to HewardMills requesting a review of its Data Subject Rights (DSR) policy and seeking expert guidance to establish clear, compliant processes for handling Data Subject Rights Requests (DSRRs) and ensuring robust governance of personal data to avoid potential non-compliance risks.
Our approach
Our expert team worked closely with the company’s privacy committee to review and standardise the Data Subject Rights policy, identifying areas where expansion and specificity were needed to address the unique requirements of the General Data Protection Regulation (GDPR) (EU and UK) and California Consumer Privacy Act (CCPA) and ensure regulatory compliance.
We then assisted with the development of two separate Data Subject Rights policies:
One dedicated to EU and UK data subjects, crafted in strict accordance with the GDPR (EU and UK), covering rights such as access, rectification, and erasure.
A second DSR policy specifically for California consumers, aligned with the CCPA’s focus on rights like access to personal information, opt-out of sales, and deletion.
To support policy implementation, we created Standard Operating Procedures for the UK, EU and US regulations. These set out clear, actionable steps for internal teams to follow when responding to data subject requests.
Impact
The tailored Data Subject Rights policies and Standard Operating Procedures provided a clear, structured approach to fulfilling data subject rights in the UK, EU and US. By aligning its policies with regional regulations, the company strengthened its compliance framework and demonstrated its commitment to data protection and privacy on a global scale.
Furthermore, we helped enhance the transparency of data practices, minimising the risk of non-compliance with privacy regulations and improving the internal handling of data requests. Giving positive feedback, our client commended the practicality and clarity of the new policies and standard operating procedures, which have become integral to their ongoing compliance efforts.
