This is the second blog in a 3-part series on the lessons we’ve learned about structuring and implementing GDPR compliance projects.
We’ve met with lots of companies, large and small, working towards GDPR compliance. We didn’t start out as GDPR experts, but we’ve learned a lot from our customers about the common challenges that most companies are facing, and the mistakes made when getting started with a complex compliance project.
At a high level, we’ve learned 3 lessons:
- Compliance is a continuous process, not a periodic one.
- It’s important to involve domain experts in your organization to help get an accurate understanding of the current status of systems and processes.
- If you think structured with your compliance documentation, not only will it make the compliance process easier, it will also empower you to use the data you collect for other digital transformation initiatives.
This post will explore why involving domain experts with the compliance process results in less risk.
What is a domain expert?
A domain expert is someone who has hands-on expertise with a core function of your business, e.g. the department head of IT, marketing, or sales.
Compliance projects are often managed by a higher-level stakeholder, with minimal involvement from domain experts. While experts are asked to contribute information about their domain, it's usually in pre-defined documents or surveys.
GDPR, as with other corporate regulations, impacts your entire organization; therefore, we believe that the whole organization should be involved.
Domain experts increase the quality of documentation
Involving experts with documentation creation and analysis will improve your documentation's level of detail and quality. When experts take ownership of documentation for their domain, they can decide what to document and how, resulting in a much clearer and complete picture of reality.
Instead of a "pull" method of documentation (requesting specific information from domain experts), implement "push": experts create and maintain documentation for their domain, and connect it to documentation from the rest of the organization.
Domain experts discover value-adding opportunities
Compliance requires you to document your core business. If you think of this process as only a compliance process, the end result will be compliance documentation. If, instead, you build comprehensive documentation that can be used for compliance, you'll lay the foundation for other value-adding projects like changing vendors, developing new services, or implementing digitalization processes.
When domain experts document their own systems and processes and see the dependencies between everything, it becomes easier to spot inefficiencies or opportunities. And with the documentation in place, it's easier to plan and implement projects to address them.
Where Ardoq fits in
In order to realize the benefits of GDPR compliance, you first need to get a clear understanding of what personal data exists in your organization, where it’s used and stored, who has access, and the reason for having it.
Ardoq allows you to create structured documentation of all of this data, then use that data to generate up-to-date visualizations and run automated gap analysis to spot potential issues early on.