HewardMills

BACKGROUND

Introduce your business and what you do there.

Our organization is a software development company that delivers software as both on-premise deployments and cloud-based services. Our software is used for work product management, where users manage high-value documents. We’re a B2B company, and our customer base mainly consists of attorneys, accountants, and financial professionals. We serve about a million users worldwide and thousands of organizations as customers.

I was previously in the compliance team for security and business continuity and supplier assessments. Now, I’m more focused as a member of the privacy office to deal with privacy-related matters. 

OPPORTUNITY / CHALLENGE

What challenge were you trying to address with HewardMills?

Both our company and customers deal with highly confidential documents from a security and privacy perspective. As a result, it’s critical for our company to be compliant with all regulations related to security and privacy. 

Since privacy regulations such as the GDPR are complex, we’ve appointed HewardMills as our data protection officer (DPO). After putting them in this official position, we’ve notified regulators and supervisory authorities that the HewardMills team is acting on our behalf. As part of that, they provide professional advice and guidance to help us be compliant with privacy regulations around the world. 

SOLUTION

What was the scope of their involvement?

HewardMills has a well-formulated work plan. They first conduct an assessment of our practices and policies. After that, they come up with an assessment report, which then becomes the basis of the plan that we utilize and improve. As new regulations appear, they conduct new audits. We steadily work with them on such audits to create an ongoing remediation and work plan.

Moreover, HewardMills helps us with the wording of our website's privacy notice and with how we move forward with our cookie management tools. On top of that, they advise us on how and when we should notify users when we’re collecting information about them. We also receive guidance in terms of how users can opt in and out of such processes based on region-specific rules. 

At present, we’re expanding the scope of their cloud-based certification work to help us understand and interpret all certification requirements. As part of that, they're helping us develop documented policies and procedures that we must follow to be compliant with all of those requirements. 

Overall, our engagement with HewardMills is an ongoing improvement of our practices. However, we’re only using them 3–5 days a month.

What is the team composition?

Primary and secondary leads work with us, and they bring in additional resources based on specific regulations. For instance, we might need a person who deals with a country-specific regulation or a specific IT or privacy technology issue. In that situation, the leads bring in their colleagues with specialist skills as needed.

How did you come to work with HewardMills?

We were introduced to HewardMills by one of our customers who liked them. We checked them out, and then we signed a one-year contract with them.

What is the status of this engagement?

We contracted with them in May 2018, and the engagement is ongoing. We’ve recently renewed the agreement, which will take us through the end of 2021. 

RESULTS & FEEDBACK

What evidence can you share that demonstrates the impact of the engagement? 

As our primary success metric, we check whether our company continues to be compliant with privacy regulations around the world. So far, we’ve been successful in doing that as well as in getting certifications. For instance, HewardMills has successfully helped us get an ISO 27701 privacy regulation certification for our cloud-based services. This has added more credibility to our company and has brought comfort to our customers, letting them know that we’re doing the right thing. 

HewardMills has also helped us be compliant with the California Consumer Privacy Act (CCPA). On top of that, they’ve guided us during the European Court of Justice’s voidance of a regulation called Privacy Shield. They’ve advised us on how to approach that and helped us make text changes on our website to be compliant with it.

How did HewardMills perform from a project management standpoint?

HewardMills has a well-defined structure. Our points of contact have been stable over the last three years, and we’ve only had two leads throughout those years, so there’s good continuity in terms of personnel assignment. 

Moreover, they track the tasks that we assign to them, and we have a meeting every two weeks to review tasks on our mutual list. We do some work, give it to them for review, and ask them for advice. To communicate, we’ve always used conference calls in one form or another because our people are located in different parts of the world. We’ve used Teams before, and we use Zoom now. We set up additional calls if necessary for a particular topic. 

What did you find most impressive about them?

Based on our experience and the respect that HewardMills generates around the world, they’re a leader in privacy matters, and they lead on international committees. As they’ve grown, they’ve brought in more specialist services, so we’ve built confidence that we can get the advice that we need from them. 

We also utilize specialists outside of legal counsel. Occasionally, we reach out to multiple organizations for advice, and we haven’t been disappointed with HewardMills’ guidance in comparison with other specialists in that field. 

Are there any areas they could improve?

As our relationship matures, HewardMills has also grown and matured. Since this is also a relatively new business for them, we've been vocal about areas they can improve. They’ve been responsive to that. In fact, they have internal management meetings within a month of receiving our suggestions to change their practices for the better. 

As an example, when we initially looked at their work plan, HewardMills had a lot of business-as-usual activities. We told them that those activities weren’t a work plan, so they changed them. It was a small change, but it helped us improve our communication and identify the tasks that we were working on. They also implemented that change across the entire organization, showing that they were receptive to feedback. 

Do you have any advice for potential customers?

Make sure that you have access to the right leads. This doesn’t mean that HewardMills has bad leads; it means that you need to get to know the project managers and be comfortable with them. This is important for your relationship because everything goes through the leads.

BACKGROUND

Introduce your business and what you do there.

I’m a global data privacy manager in a marketing technology company that specializes in email marketing. I handle privacy law and take any necessary steps related to those laws across the business and the company.

OPPORTUNITY / CHALLENGE

What challenge were you trying to address with HewardMills?

The European data privacy law requires companies to appoint a data protection officer (DPO). Our company decided to appoint an external DPO. 

SOLUTION

What was the scope of their involvement?

HewardMills’ involvement helps us check a box for legal compliance. They also generally assist with understanding the European data privacy law, as well as putting solutions in place to comply with it. They pretty much exclusively help us with GDPR. 

I don’t typically go and ask them to write up a policy; I create something and they review it using their resources and expertise. They evaluate whether the policies are in the right direction or whether or not we’ve assessed privacy risks appropriately. 

What is the team composition?

I regularly meet with three members of the HewardMills team. Two of them are data protection and privacy directors, while the third is a data protection and privacy consultant. 

How did you come to work with HewardMills?

Our general counsel performed the search, and HewardMills was recommended so we interviewed them. 

How much have you invested with them?

We’ve invested between $100,000–$150,0000. 

What is the status of this engagement?

Our contract started in June 2018 and the engagement is ongoing. 

RESULTS & FEEDBACK

What evidence can you share that demonstrates the impact of the engagement? 

Things are moving ahead as planned. The general counsel and I are getting the right feedback from HewardMills in terms of getting the right privacy controls or doing something else based on laws that coexist with the GDPR. I also get great support from them and get the right answers to my questions very quickly. 

How did Heward Mills perform from a project management standpoint?

HewardMills is very responsive; if I hand them something on Monday, I almost always get a response about it in our Wednesday meeting. We have a weekly call with three reps and talk over open items and changes that might affect our compliance. 

On top of that, we have a project tracker that shows things we talked about and things that need to get done — it gives a brief status report and we work from that document. 

When our company or the general counsel and their team have a difference of opinion about how we do something, HewardMills has been very open about discussing that. They help us achieve compliance without being very rigid. 

What did you find most impressive about them?

They seem to have a very deep network within their employees as far as expertise goes. I have not come up with a scenario where they didn’t have an expert who could be on the phone.

Are there any areas they could improve?

The one thing I ever really struggled with was the organization on their side, but they’ve improved drastically in the last six months or year. 

Do you have any advice for potential customers?

I would encourage anyone who works with HewardMills to be open and present them with different ideas. Expect them to help in the best way they can and be as flexible as they can be in their role.