Further GDPR reading: our thoughts on why up-to-date GDPR documentation is essential.
If you’d like to download a PDF version of this post, please enter your email address below:
Over the last few weeks I have been contributing to a case in which our partner, Capgemini, had been helping a shared client in their journey towards GDPR compliance. This process provided key insights into how similar projects traditionally have used fragmented tools and templates to gain an overview of expansive and complex projects – tools like Excel, PowerPoint, Visio, or wikis. These tools all have their own strengths and purposes, but used in this type of scenario, teams are setting themselves up for failure.
Starting With a GDPR Compliance Gap Analysis
For this GDPR project, the client first looked at all of their domains, processes, and supporting application services across their international organization. For each of these, they needed to identify:
- What type of data was being handled within processes
- What legal basis supported that handling, and
- What specific purpose it served
Then, they assessed the level of compliance with each of the GDPR principles and documented “gap observations”, areas that need to be improved or further investigated to become compliant.
This information is aggregated from all around the organization. Regardless of the method of data collection your organization chooses, the tool you use to record that data is critical.
“Working with Ardoq over the last 12 months has been an eye-opener. The level of insight we get by using Ardoq helps us to understand and discuss our concerns in a meaningful way.
Using my experience in security and architecture to support the evolution of Ardoq has been a tremendous journey. I have started to realize many years of ideas – to make information security by design, and to derive security goals directly from business goals. Having everything documented and up-to-date in Ardoq has been a game changer for helping enterprise and security architects communicate with CxOs.”
Where Simpler Tools Fall Short
When looking at the tool needs of someone creating documentation for GDPR compliance, some requirements became quickly apparent:
1. The need to collaborate
Documenting information about the personal data flowing through your organization – from servers, through tools, to sales and marketing departments – requires input from multiple people. Using a tool with collaborative features built-in is more straightforward than sharing an Excel document across the org and then worrying about everyone using the latest version.
2. The need to have an audit trail
Just like collaboration, showing the history of changes to your documentation with a tool that’s designed to support it can be a big help. If, for example, an auditor uncovers an noncompliant area that you thought you were compliant in, you need to be able to track the past changes to it to explain what happened and who’s responsible.
3. A better way to visually explore data
Excel visualizations are powerful, but without complex customizations and coding, their interactivity is limited. More dynamic visualizations enable you to explore large datasets and identify issues or insights you may have otherwise missed.
4. Reusability and longevity of the data collected
Using a collaborative tool helps to create a single source of truth, and avoids data getting siloed in different versions of a file spread all over the organization.
If the project is narrow in scope, time, and resources, a one-man team with Excel can come a long way. But as soon as you need to collaborate, handover, or gain an overview, Excel sheets become tricky to manage.
Anyone who has collaborated in Excel knows that you can quickly have issues with auditing, broken functions, and in the worst case, missing or lost data. In addition, given the scope of a GDPR compliance project, you are likely to create a huge number of Excel sheets and supporting Word docs and visualizations. Managing file versions and distribution is a job in itself. This proved to be the case for this project.
The Client’s Reasons for Using Ardoq
Our partner wanted to deliver living documentation which would be the foundation of the client’s GDPR documentation, and would need to be regularly maintained for accuracy.
Another key goal was giving the client the ability to get a high-level overview. Ideally, the compliance team wanted to use values or metrics to prioritize next actions for compliance gaps, based on risk and impact. Gaining this type of overview and insight from multiple fragmented Word and Excel docs proved to be impossible. This is where Ardoq came in.
Along with our partner, we created standardized GDPR templates, a regulation handbook, and an implementation guide in Ardoq. These resources gave the client everything they needed, in-app, to create their GDPR documentation. To get notified when these GDPR templates and resources are available publicly, leave your information in the form at the bottom of the post.
The Documentation Process
The next step was to educate the client’s team so that they could empower domain experts to contribute to the process and application service documentation. This enabled the architects to spend more time on documenting gap observations and analyzing their risk and impact.
By moving the project documentation into Ardoq, the team was able to present a clear audit trail of the observations, any changes, and decisions they had taken in their process for compliance. In the unfortunate event of an external audit, the team could confidently present this process through interactive visualizations and in-depth descriptions to better explain their current state and future plans on the path to compliance. The theory is that by having clear, explorable and visual documentation, the auditor would be satisfied with the efforts done by the team.
Although this project was a “top down” approach, starting with high level processes and architectures, the team is simultaneously documenting from the bottom up. They are utilizing Ardoq’s REST API to automate much of the technical documentation to capture how data is stored, copied, transformed and deleted from the database level up.
The plan is to then connect the conceptual “Application Service” to the actual IT service(s) allowing an architect to drill down from high level gap analyses to the most granular detail of how data is handled.
Implementing the GDPR Templates
After discussing with the clients and their data owners, we were able to develop Ardoq models to answer the key questions they would have on their path to compliance. This resulted in a set of generalized GDPR templates that we’ll be releasing publicly. By documenting the client’s data using the GDPR templates, we could quickly visualize and answer these questions:
- What type of personal data was being collected in each process?
- What was the current assessment of the processes’ compliance with individual GDPR principles?
- Which GDPR principles are having the most issues with compliance?
- Which gap observations on application services have the largest impact?
Below is an embedded Ardoq presentation which shows each of these 4 questions alongside a diagram that answers them. Ardoq diagrams are automatically generated and updated – all these slides are based on the most up to date data found in Ardoq.
Documenting Your Own Data with Ardoq’s GDPR Templates
You can get access to our GDPR templates, instructions, and an in-app copy of the GDPR regulations. Visit this page to learn more and contact us for more information.