With a vision of “dream homes for all,” Overstock is an online retailer and technology company that offers furniture, decor, rugs, bedding, and other home goods for millions of consumers.
As emerging comprehensive data privacy regulations gained momentum, the team knew that it was time to upgrade their program in favor of an automated, scalable approach to privacy that would reinforce customer trust.
- Before DataGrail, Overstock.com’s privacy efforts relied on manual processes, spreadsheets, interviews, and costly engineering resources to fulfill data subject requests (DSRs). “Do not sell” requests (DNS) took up to three weeks to complete.
- With DataGrail, Overstock.com achieved a 10x ROI by empowering a single IT Compliance manager to effortlessly manage the company’s privacy requests, in turn freeing up dozens of engineers to refocus on core strategic development.
- With end-to-end automation of data subject requests, the team is now able to fulfill “do not sell” requests in minutes. In addition, the Overstock.com team leverages continuous data discovery across dozens of cloud and on-premises systems.
In 2019, Brandon Greenwood, CISO, VP Security & IT, and Heidi Asbrand, Privacy & IT Compliance Manager, foresaw that their existing privacy program wasn’t positioned to scale with emerging regulations.
With the CCPA taking effect in January 2020, they expected to see an increase in DSRs that were costly and inefficient, especially when it came to customers opting out of the sale of their data. They were relying on manual processes that required valuable engineering time to go into each and every database, find the pertinent data, and manually fulfill the request. Admins for third-party SaaS systems were also tapped to manually fulfill requests on their end. This whole process often took up to three weeks, which was frustrating for the internal teams, and not timely for customers.
They set out to find a solution that would enable the team to:
- Effortlessly adapt their privacy program beyond the GDPR to include to emerging regulations like the CCPA
- Provide a better, faster, centralized experience for customers exercising their data privacy rights
- Eliminate “lost” data by understanding where personal data was flowing through business apps and infrastructure (without having to manually update spreadsheets)
- Save time with end-to-end automation and by integrating key business apps and on-prem databases into customized privacy workflows
- Remove valuable engineering resources as a bottleneck in fulfilling data requests
- Manage all privacy requests from one place, automatically retrieving and updating data across all business systems, as well as maintaining full history and audit logs of requests.
The Overstock.com team implemented DataGrail’s Request Manager for automated DSRs, including Do Not Sell requests. The team is now confident that data won’t get lost or overlooked in the request fulfillment process, which was not feasible before.
They have automated access requests with their systems of record, including their customer engagement platform, customer data platform, and cloud and on-prem data sources. Fulfillment of data subject requests is customized to meet the company’s security needs. Fulfilling DSRs is seamless— notifications and data extraction are fully automated, coupled with human oversight for sensitive actions such as data deletion.
The team has been thrilled with the results of implementing DataGrail’s data privacy platform. They’ve greatly reduced time and effort spent on data privacy compliance, and the team didn’t break a sweat when DSRs increased with CCPA taking effect in 2020.
Looking ahead, the team knows they will be ready for any emerging regulations, such as Virginia’s CDPA. As the team upgrades and migrates their database architecture, they’re confident that their privacy program will continue to be well supported through their DataGrail integration. The team also looks forward to leveraging improved analytics and more customized workflows, and deepening their partnership with DataGrail.