First established in Italy in 1946, Ferrero is a globally recognised confectionary maker and the company behind iconic brands such as Ferrero Rocher, Tic Tac, Nutella and Kinder Surprise.
Just 20 years after opening its first factory in the norther Italian town of Alba, Ferrero established operations in the UK and has been fusing modern, innovative approaches to confectionary making with its rich heritage ever since. In 2015, Ferrero acquired UK chocolatier Thornton’s.
“Ferrero is a family-owned business with a strong vision for its future. We have recently made several acquisitions and are committed to growing the business by offering premium quality products with long-term appeal,” said Harpreet Thandi, Regional Counsel, UK & Ireland. “We take our responsibilities as a global confectionary manufacturer seriously and are involved in several environmental and community initiatives. Ferrero sets the bar high in terms of operating in a sustainable way, and preserving trusted relationships with our consumers is key to that.”
As a business, Ferrero prides itself on having a “culture of compliance”, whereby every employee is aware of their legal responsibilities and understands the principles behind them. This extends to every area of the business, including the FMCG, retail and ecommerce operations. The legal team is tasked with ensuring that all employees have the relevant training and tools they need to perform their roles and adhere to the highest standards of data privacy and protection.
When Ferrero acquired Thornton’s the amount of customer data the company held expanded dramatically – Thornton’s alone managed a customer database of more than five million contacts, more than any other Ferrero entity.
All of that data needed to be appropriately secured and protected against corruption and loss, and Ferrero needed to ensure that it’s processes and people were adequately equipped to safeguard the privacy of customers at that scale.
Harpreet continues the story. “We have a Group Data Protection Officer (DPO) based at Ferrero Group’s headquarters in Luxembourg, and he advised us to appoint an independent UK DPO with in-depth knowledge of data protection law and best practices. Although we knew that the GDPR was coming down the line, this wasn’t just about compliance. As a company with access to large amounts of customer data, we need to be sure that we are only processing the data we need, that we are using it to best serve the interests of our customers and that we’re completely transparent about how we do that.”
Although hiring an in-house DPO was an option for the UK legal team, it wouldn’t have provided the same level of independence an external provider could. The scope of the role also meant that at this stage it would not have necessitated a full-time headcount.
It was at this point that Ferrero first engaged with the data protection team at NormCyber In addition to providing guidance on the company’s legal obligations under the GDPR and other relevant legislation, norm.’s Data Protection as a Service offering also includes bespoke advice on current policies and governance frameworks. This is in addition to:
- Analysis of current personal data processing operations
- Reviews of new proposed legal contracts and agreements for GDPR compliance
- Advice and support on the fulfilment of Subject Access Requests (SARs) and Data Protection Impact Assessments (DPIAs)
- An annual review of data protection and privacy governance frameworks, including an annual Board report
- Guidance and interpretation of emerging data protection and privacy laws
- Serving as the primary point of contact and liaison with the Information Commissioner’s Office (ICO) and other EEA Data Protection Authorities where required
“We chose NormCyber as our virtual DPO service because it was clear from the start that they were specialists in this area and had extensive experience of helping organisations to comply with the GDPR. Equally as important, they also had a proven track record of working with organisations that recognise that data protection is not about avoiding fines – it’s about earning the right to store and process an individual’s data by treating it with respect. It’s about doing the right thing, and that fits perfectly with Ferrero’s own values,” continues Harpreet.
Most recently, the Head of Legal Services at NormCyber developed and designed a series of tailor-made data protection and privacy webinars for Ferrero’s UK employees. This included training on the fundamentals of the GDPR as well as more in-depth modules for functions with specific data protection obligations such as HR and Marketing.
Since appointing NormCyber as its virtual DPO, Ferrero has received ongoing advice and consultancy on a number of data protection related topics, from SARs and DPIAs to GDPR compliance, the impact of Brexit and the acquisition of Fox’s biscuits. In each case, Ferrero’s legal team and the wider business has benefitted from independent, expert advice with clear recommendations on how to safeguard the privacy of individuals while supporting the ongoing expansion of the business.
The flexibility and bespoke nature of the service has also meant that the legal team at Ferrero can call upon the team at NormCyber at short notice to support them on a wide variety of data protection-related issues. This has allowed their own staff to focus on longer-term, commercial initiatives.
“Appointing NormCyber as our virtual DPO has given Ferrero the best of both worlds – access to data protection experts who understand what we stand for as a business, without the hefty overheads usually associated with appointing an in-house DPO,” summarises Harpreet. “Consumers are more aware than ever that their data has a value, and they expect the companies who hold that data to be open and honest about what they do with it. Trust and brand reputation are vital to the longevity of any business, and the DPaaS solution is key to helping Ferrero maintain this.”