This is the final blog in a 3-part series on the lessons we’ve learned about structuring and implementing GDPR compliance projects.
We’ve met with lots of companies, large and small, working towards GDPR compliance. We didn’t start out as GDPR experts, but we’ve learned a lot from our customers about the common challenges that most companies are facing, and the mistakes made when getting started with a complex compliance project.
At a high level, we’ve learned 3 lessons:
- Compliance is a continuous process, not a periodic one.
- It’s important to involve domain experts in your organization to help get an accurate understanding of the current status of systems and processes.
- If you think structured with your compliance documentation, not only will it make the compliance process easier, it will also empower you to use the data you collect for other digital transformation initiatives.
This post will explore why creating structured compliance documentation is the best approach.
You've come to the realization that GDPR compliance impacts the whole organization, it's a continuous process, and that it will change the organization's culture and how it operates. Now it's time to decide how to document it.
Documenting your GDPR compliance in a structured way will make it easier to discover and prioritize compliance gaps and lay the foundation for value-adding projects beyond GDPR.
Structured vs. unstructured data
Creating structured documentation first requires you to identify the important attributes of an object. For example, when documenting an application, you'll want to know if it processes personal data. When documenting personal data, you'll want to know if consent was gathered.
These attributes should have defined input types (e.g. integer) and any relevant restrictions (e.g. less than 1,000). Knowing what values an attribute may have makes analysis easier and gives you greater confidence in the documentation.
One example of unstructured data would be a Word document; even if all the important information is present, it would be difficult to, for example, compare the number of data subjects in one document to another, or to sort the data.
Even when using a structured tool like Excel, it's possible to enter data in an unstructured way. In the image below, two examples of overloaded attribute values are highlighted in red:
Since these attributes have multiple values specified, the data is inconsistent, and it will be harder to draw conclusions and compare data.
Design documentation for reusability
In the process of documenting your GDPR compliance, you'll be collecting information about the core of your organization—what makes it tick, what makes it competitive. Personal data drives most organizations, whether B2C or B2B. Things like HR data and customer/vendor data are key to competitive success.
If you're investing the time to document these things for GDPR compliance, why not design the documentation in such a way that it's reusable for future projects?
In addition to making data analysis more straightforward, structured documentation makes it much easier to import your data into other tools in the future, reducing the amount of time needed to get started with new projects. Unstructured data, however, offers very little reusability.
Adding value beyond GDPR compliance
GDPR requires an understanding of core business processes, applications, and infrastructure. The high-risk nature of the GDPR means that most organizations will make compliance a top priority. Leveraging GDPR focus to create structured, up-to-date documentation can lay the foundation for...
- Performing risk analysis
- Identifying the biggest challenges in a digitalization process
- Changing IT vendors
These are all small wins that add up and reduce the total cost of ownership of your compliance documentation.
Take steps now to design a structured GDPR compliance documentation strategy, and your business will reap the benefits.
Where Ardoq fits in
In order to realize the benefits of GDPR compliance, you first need to get a clear understanding of what personal data exists in your organization, where it’s used and stored, who has access, and the reason for having it.
Ardoq allows you to create structured documentation of all of this data, then use that data to generate up-to-date visualizations and run automated gap analysis to spot potential issues early on.