Grupo Bimbo bakes in end-to-end data security and compliance with Microsoft Purview true to its “deeply human” values

Growing from startup to global powerhouse

Grupo Bimbo isn’t your corner bakery, but it cares for its products and people as though it were. A leader and innovator in its industry, the global company has garnered numerous honors, including recognition by Time magazine and business intelligence platform Statista as highest-ranked Mexican company and fourth in the world in the food and beverages category. It’s risen from its 1945 birth in Mexico City with 34 associates and four types of bread to become a worldwide powerhouse: more than 100 brands, including Sara Lee, Oroweat, Boboli, Entenmann’s, and many more. Grupo Bimbo owes its phenomenal growth to both its passion for innovation and its employees, whom it refers to as associates. 

Like the wholesome breads, muffins, and tortillas the company turns out, sustaining corporate values isn’t a matter of setting and forgetting a few truisms. “Grupo Bimbo wants to always be sustainable, highly productive, and deeply human,” says Jose Antonio Parra, Vice President of Global Digital Transformation, Data and Analytics at Grupo Bimbo. “We support those goals with information technology, because data analysis shows us where our greatest opportunities are.” That trove of data includes precious intellectual property: recipes and R&D data, plus inventory, production, and quality control data for Grupo Bimbo’s 217 plants around the world. Unlike many industrial-scaled bakeries, which haven’t really changed in decades, Grupo Bimbo manages key production functions in some of its bakeries with cutting-edge IoT technology. Finally, the company maintains personal data about associates—just as important as any industrial secret.

In the Grupo Bimbo world, protecting and managing data is as important as sourcing the finest ingredients. “We begin every conversation with a prospective technology partner with ‘Can you manage the amount of data we have?’” says Parra. “People tend to think that a bakery wouldn’t be that complex. But any data mishap could affect our consumers, our suppliers, and our relationships with regulators anywhere in the world.” That translates to protecting what Grupo Bimbo most prizes: its sterling reputation. “Compliance with continually increasing and more complex regulations isn’t just part of our competitive advantage,” he adds. “The reputation of our company is at stake.” But understanding how data flowed through the company and where sensitive data resided was an increasingly complex task. When Parra and his team sought a tool to simplify compliance, they didn’t have far to look.

Rolling out sophisticated compliance to 35,000 associates

As a longtime Microsoft customer, Grupo Bimbo had a history of optimizing multiple Microsoft technologies. And as a global concern, Grupo Bimbo needed a single data governance solution that could parse both its Azure and Microsoft 365 productivity environments while also providing up-to-date compliance guidelines for multiple nations and agencies. “We regard Microsoft as our trusted technology advisor,” explains Parra. “We chose Microsoft Purview because of our strong successes with Azure cloud technology. The IT solutions we’ve built using Microsoft products made Microsoft the logical partner for an end-to-end data security and governance solution.” Microsoft Purview was an exact fit for the global bakery’s data security and governance needs. Equipped with Microsoft 365 E5 Security and Compliance tools, Grupo Bimbo deployed the solution to 35,000 associates within 18 months. The company credits careful pre-planning and inclusive change management with the successful rollout.

Alejandro Cuevas, Global Director of Information Technology, Risk, and Compliance at Grupo Bimbo, and his team began by focusing on the data. Cuevas navigates a matrix of international regulations, the individual needs of myriad departments at the various factories, and supply chain partners. “We needed to understand where our sensitive data resides and how it moves throughout the company,” he says. “We then had to decide how to protect it, determine which data should be shared with external parties and how to safely share it with them. And we must make our controls available to regulatory auditors in a secure way.” 

Synchronizing data protection with Microsoft Purview

The team began by identifying and labeling sensitive and business-critical information with Microsoft Purview Information Protection, using advanced classifiers and sensitive information types. Then they used the files labeled as sensitive to create conditions in Microsoft Purview Data Loss Prevention (DLP) that specify what types of data could be shared and under what conditions. Purview DLP rules extend throughout the Microsoft ecosystem, from Microsoft 365 productivity apps including OneDrive and SharePoint. The team used Microsoft Purview Compliance Manager to align Grupo Bimbo data handling rules to the relevant laws and regulations wherever it operates. Protecting all types of data, including confidential employee health data, is subject to regulations like GDPR in Europe and the United States HIPAA rules. 

Grupo Bimbo then rolled out the risk management solutions in Microsoft Purview: Microsoft Purview eDiscovery and Communication Compliance. “We use Microsoft Purview to do more than simply protect our sensitive information,” says Cuevas. “When we receive an audit request, the investigating department saves precious time in finding relevant information with the Purview eDiscovery capability.” 

The Microsoft Purview Insider Risk Management capability is part of the Microsoft Purview data security solution set. It’s commonly lauded for preventing data leaks from internal sources, but Grupo Bimbo uses it more proactively. “We use Microsoft Purview Insider Risk to stay ahead of potential compromise because we receive alerts before a data leak or data loss incident can occur,” adds Cuevas. Adaptive Protection, a machine learning capability, combines the functionality of both Purview Data Loss Prevention and Insider Risk Management to optimize the balance between security and productivity based on dynamically assessed user risks. “Traditionally, managing the human aspect of security is very complex,” muses Parra. “People equate security with very restrictive policies that can frustrate our associates. But the Adaptive Protection capability is a perfect example of how helpful machine learning can be, because we use it to make security-based decisions rooted in logic and context. Being able to adjust to context dynamically helps us achieve a more effective balance between safety and flexibility.”

Grupo Bimbo also uses Microsoft Purview Communication Compliance to protect its most important asset: 145,000 dedicated employees. It appreciates the privacy built into the tool that anonymizes employee identity in internal communications while also preemptively indicating any sign of business conduct violations, helping to maintain a respectful and highly secure work environment.

Baking security and compliance into an entire estate

With a coordinated set of data security and compliance tools, even a complex global operation like Grupo Bimbo can gain critical visibility into its data. “We’re using Microsoft Purview to keep Grupo Bimbo data more secure, more proactively than ever before,” affirms Cuevas. For him, the Grupo Bimbo “deeply human” value translates to balancing personal and work lives for himself and his team. “Using a tool like Microsoft Purview helps my team be as effective as possible,” he says. “Our stakeholders identify their data protection needs, and we use the machine learning capabilities of the solution to enact those protections. The team and I have more time to recharge.”

In keeping with its “deeply human” principles, Grupo Bimbo insists on a tool set that builds privacy into every component to protect the privacy of its global associate community. “Nobody believed that we could gain such an in-depth understanding of our data while also respecting and keeping individuals anonymous,” says Parra. “Yet that’s exactly what happened. It’s been a journey of building trust and understanding that whatever information we collect is always kept separate from personal identity. We protect the privacy of our associates.” He values that result as key to Grupo Bimbo’s ambitious plans. “Our goals to be a sustainable, highly productive, and deeply human company translate to every individual associate,” Parra concludes. “Like Microsoft, we want to empower our people to achieve more. Our accomplishments rest on the talent and work of individual people, assisted by technology.”