We’ve met with lots of companies, large and small, working towards GDPR compliance. We didn’t start out as GDPR experts, but we’ve learned a lot from our customers about the common challenges that most companies are facing, and the mistakes made when getting started with a complex compliance project.
At a high level, we’ve learned 3 lessons:
- Compliance is a continuous process, not a periodic one.
- It’s important to involve domain experts in your organization to help get an accurate understanding of the current status of systems and processes.
- If you think structured with your compliance documentation, not only will it make the compliance process easier, it will also empower you to use the data you collect for other digital transformation initiatives.
This post will explore why compliance must be a continuous process; lessons 2 and 3 will be covered in future posts.
Why should GDPR compliance be continuous?
Many businesses plan to have periodic compliance checks performed by internal or external teams. These can be valuable milestones to track progress towards compliance, but relying solely on periodic compliance checks—say, once per quarter—exposes you to risk in the interim.
A compliance check will likely uncover a lot of gaps that need to be resolved, especially early on in the process. If those changes aren’t documented, 3 things will happen:
- In the case of an external audit between compliance checks, the documentation is out of date and the organization risks being found noncompliant.
- There will be a gap in organizational knowledge that will force decisions based on incomplete information.
- The work of documentation just gets pushed to the next periodic compliance check, increasing the workload and complexity each time.
If, however, you supplement the periodic compliance checks with consistent documentation generated internally, your risk in the case of an external audit is reduced significantly.
Remember: GDPR is a marathon, not a sprint. Compliance must be demonstrated starting in May 2018, and continuously thereafter.
Design a culture of continuous compliance
Once you decide to maintain continuous compliance documentation, you can decide on a scope and processes that will be sustainable and useful for your business. By involving domain experts in the process and looking for automation opportunities, up-to-date documentation doesn’t have to be a large time investment. Distribute the work and make iterative changes frequently, not large changes periodically.
Building these processes and internal culture will help your business internalize a GDPR compliance mindset, and the data that you create can be leveraged for secondary projects that will help make GDPR a value-adding process.
Reuse your data for other initiatives
A byproduct of maintaining continuous compliance documentation is that you get this big, up-to-date dataset that reflects the current reality of your organization. If you’re documenting it in a central, structured platform like Ardoq, it’s an easy job to use this data for other applications, like…
- Identifying other risks in the organization
- Performing impact analyses
- Streamlining processes
- Developing new services
- Streamlining your IT portfolio
- Change management handling
- Digitalization processes
GDPR compliance requires budget and time to get right, but with the proper project structure and internal culture, the output has applications outside of compliance. Compliance may seem like a sunk cost, but you can leverage the work you do for it to lay the foundation for projects that can net massive business gains.
Where Ardoq fits in
In order to realize the benefits of GDPR compliance, you first need to get a clear understanding of what personal data exists in your organization, where it’s used and stored, who has access, and the reason for having it.
Ardoq allows you to create structured documentation of all of this data, then use that data to generate up-to-date visualizations and run automated gap analysis to spot potential issues early on.