The customer is a leading private equity firm in San Francisco that holds over $10 billion in assets under management. The firm’s portfolio includes a diverse roster of companies in technology, real estate, healthcare, and consumer goods. 

The firm helps its portfolio companies scale their growth sustainably. While headquartered in the US, the firm also had 14+ offices in 10 countries across North America, Europe, and Asia.

Its risk management and compliance managers were responsible for GDPR compliance by keeping track of information held on investors, portfolio companies, and their employees. 

‍

Background

‍

A need to simplify and speed up regulatory compliance

‍

Regulations such as the EU GDPR (General Data Protection Regulation) require organizations to know what sensitive data they collect, how they process it, and what they do with it. In addition to explaining data collection, storage, and use, organizations must ensure that it’s easily accessible.

‍

GDPR compliance also mandates organizations to track and report breaches within 72 hours. 

‍

To this end, the risk management and compliance managers at the private equity firm had to manage and continuously monitor all information related to audits and compliance. This would involve (but wasn’t limited to) the following:

‍

Engaging with various business units and teams to continually review their processes and policies, in preparation for compliance audits

Helping in matters involving sensitive data related to regulatory approvals, information governance, M&As, and due diligence

Ensuring that all employees understood and followed corporate policies and standards regarding sensitive information

Spotting and reporting all incidents of non-compliance such as fraud, improper access, and violation of corporate policies or procedures

Analyzing new rules or circulars issued by regulatory bodies and advising business units for compliance on their operations

‍

‍

As the firm’s portfolio expanded, it became challenging to look for the right information, organize it as per standardized formats, and discuss it with the relevant people at scale. 

‍

The managers spent 26% of its time each month looking for information and organizing it. Despite the time and effort invested, they could put together all the data they needed for compliance audits and reports only 76% of the time. 

‍

This could translate to potential GDPR or RBI penalties that affected the firm’s brand image, besides cutting into its margins. 

‍

So, the firm wanted a tool that simplified compliance, access, and visibility with: 

‍

Auto-tagging and classification of sensitive data:

Since several systems captured data at scale and not all of them were interconnected, a large part of compliance still involved manual data cataloging.

Google-like search:

Information was siloed across various systems and departments, making it difficult to find and keep track of all that data.

Seamless information exchange and collaboration:

Sharing After spotting any anomaly, the legal team would have to document their findings, attach proof, and share it via an email.

‍

‍

Discussing the anomaly would involve numerous back-and-forths across various teams, using multiple channels of communication – email, Slack, conference calls, and more.

‍

Real-time curated information feeds on new standards, regulations, laws, and more:

As updates on regulations and standards became more frequent, the legal team was expected to stay on top of the changes immediately.

‍

‍

With the firm expanding across geographies, the team wanted a mechanism in place to curate and share the essential information in real-time.

‍