GDPR Compliance


A Data-Driven, Sustainable Approach

When the General Data Protection Regulation (GDPR) goes into effect on May 25, 2018, it codifies into law an unprecedented level of accountability for organizations, making GDPR compliance a must. Fines for non-compliance and data breaches will be much higher, and enforcement will be stricter, with more weight and power invested into one single EU authority.

The stakes are high: Beyond meeting the law’s requirements, this is also about protecting your brand, your reputation, your customer loyalty, and your revenues.

Will your organization be ready? Here’s what to know and do heading into 2018.

GDPR Is Your Responsibility

Preparing for GDPR is not simply a textbook exercise. Depending upon your current data management practices, it may mean a significant change in how your organization thinks about data protection and manages information that is subject to GDPR.

At a high level, GDPR requires you to have the proper controls and measures in place to understand how and why information is being used. You must know where data is stored and how to mitigate risks. If you use personally identifiable information, you must ensure that your organization is using it for the right purpose, in the right way, with the right controls.

Not only that, but you must also ensure that those controls safeguard data privacy even as technology moves apace. For future technology projects, you must have good practices in place to build privacy into systems by design.

Where to Start with GDPR Requirements

Protecting data privacy and proving that you are doing it lawfully under GDPR requires initiating four activities:

  • Log your tech and data assets and determine their use, including:

    • Which data elements contain privacy information?
    • Where is the data physically stored?
    • Which systems/processes use the information and can create, read, update or delete?
  • Analyse your data landscape to determine how well that data is protected:

    • What controls are applied to technology assets/processes to support secure handling and transport of information?
    • What confidentiality level is required to keep the data safe?
  • Understand data lineage and where and how that data is being used:

    • What applications process the data and how? How secure are they?
    • Is the information transferred cross-border?
    • Are there contractual agreements in place for transferring information outside the EU?
  • Target and prioritise investments and planning activities required to support GDPR compliance:

    • Where are there gaps and risks?
    • What measures should be established to meet GDPR requirements?

Answering these questions is a complex undertaking that requires assembling a cross-functional data governance team, including legal, data privacy, IT security and risk management, enterprise architecture, and the enterprise program management office (EPMO).

Considerations for a GDPR Initiative

Organizing a diverse group of people to deliver insight and analysis on GDPR is no small feat. They will need the right tools. They must be able to plan and manage GDPR compliance and collaborate efficiently in a time-sensitive, and task-driven manner.

Establishing a data mapping project is fundamental to GDPR. Once the data mapping project is completed, the team will need to manage program implementations and follow-on remediation projects. This includes tasks such as defining the roadmap, specifying needed investments, identifying staffing needs, and managing the overall program as well as the portfolio of projects to address gaps.

Many organizations think they will rely on spreadsheets to accomplish all this. Spreadsheets are not robust enough to manage and analyze the data. For instance, a spreadsheet will not be able to show cross-border impact and dependencies on technology and associated risks. It will not enable you to demonstrate to regulators and auditors that you know where all your data is, what kind of data it is, and in which processes and applications the data appears.

Conforming to the GDPR legislation requires a more robust software solution for collaborative work management, data mapping and categorization, and planning and execution.

Collaborative Work Management for GDPR Compliance

Kanban Card Checklist with Projectplace

Bringing a cross-functional team together to work on any initiative can be difficult. Collaborative work management software streamlines teamwork and makes it easy to stay on track with GDPR plans. It ensures teams get work done by helping them organise and collaborate efficiently on their assigned tasks.

Look for a solution with a standard template of GDPR requirements that can serve as your starting point. An out-of-the-box workflow enables you and your team to execute GDPR-related activities. Conversation feeds allow the team to stay aligned and on track.

Quick access to data response plans, contracts, controller and processor agreements, and any other GDPR documentation can all be managed within the collaborative work management solution, either by storing documents or linking to other sources. Centralising documentation makes it easy for your team to manage, update, and collaborate during the initiative.

Data Mapping and Categorization for GDPR

Business Process Data Mapping with Troux

Understanding how information is being used and stored within your organization is core to GDPR readiness. The right software can help at scale to provide these answers, quickly and visually. Look for a solution that answers the what, where, when, and why questions around privacy data including: its retention requirements; if it is transferred cross-border; if and when third parties touch it; the owner in case of a breach; if there is a fair processing notice in place, etc. These are just some of the ways in which the right solution can capture information relating to meeting your GDPR requirements.

You should also be able to see the complete data lineage across the organisation and understand how each element flows across the company, with visualisations that are easy to export into spreadsheets if needed. You should see locations and business processes in a single view to pinpoint risky processes that need further privacy controls or applications with potential vulnerabilities.

Optimal solutions also streamline data maintenance with automated workflows. The employees responsible for data upkeep should receive timely emails that prompt information updates, ensuring that your company always knows where its data is and how it is used.

Planning and Execution for GDPR Remediation

Strategy Roadmap with Planview Enterprise

GDPR 2018 requires a delivery and execution plan that supports the timeline and tracks and manages the required remediation activities. The right software solution helps you prioritise initiatives and projects as well as conduct the planning for new technologies, projects, and staffing. It enables you to build a solid business case, show funding alternatives, and demonstrate trade-offs between proposed decisions.

From there, you should have the ability to create enterprise roadmaps that link your GDPR initiative to investments and outcomes that address the gaps discovered in organisational privacy practices.

Linked tightly to execution, roadmaps keep your organisation in sync, gather metrics, and help you understand the impact of actions.

Look for software that also enables you to leverage program management that reaches across silos, easily defines plans, tracks status, and measures progress. It should help you to maximise project performance as schedules and milestones keep people on course for maximum impact.

In addition, you should be able to keep stakeholders informed and engaged with analytics, dashboards, and interactive visualisations that identify trends and accelerate your strategy.

Additional Benefits of a GDPR Exercise

The General Data Protection Regulation is about more than meeting requirements, avoiding financial penalties, and protecting your brand. Leveraging the information captured to support GDPR can also bring tangible benefits to your organization:

  • Cost reduction: Approximately 18 percent of data in people databases such as a CRM or ATS system is duplicated.1 By leveraging the insights of your GDPR initiative, your IT organisation can identify areas of duplication for elimination or consolidation, driving reductions in systems cost, capacity waste, IT time, maintenance cost, slower backups, and data centre costs.

  • Risk reduction: You will be able to quickly identify where sensitive information is being stored and the technology obsolescence and security measures in place on those systems, enabling you to plan and execute remediation strategies.

  • Improved customer experience: While ensuring data privacy controls are in place, you gain a better understanding of your customer-facing processes and applications as well as their purpose within the organization. This can help you to shape and deliver digital solutions that align with how customers want to engage with your organization. This also helps to support privacy by design approaches to technology.

The Planview Solution for GDPR

Whether you are just getting started or deep into data mapping and assessments, Planview can help your initiative via a data-driven, sustainable solution. Based on our more than 30 years of experience helping hundreds of global organisations solve complex business problems, the solution will enable you to answer the business questions presented by the GDPR now and in the future.

The Planview solution can assist in achieving your GDPR 2018 compliance goals with:

  • Collaborative Work Management: Organise cross-functional teams and get GDPR work done more effectively.

  • Data Mapping: Create a clear line of sight into how information is being used within your organization and understand how secure information is within applications and technology.

  • Planning and Execution: Plan GDPR project roadmaps, link them to execution, and manage implementation.

GDPR 2018 Is Coming Fast: Act Now

GDPR affects all organisations that have customers or operations within the European Union, but not every organisation will be equally well equipped to address its obligations and benefit from its advantages.

GDPR affects all organisations that have customers or operations within the European Union, but not every organisation will be equally well equipped to address its obligations and benefit from its advantages.

Planview can help support your GDPR projects and not only make them real, but sustain them over time.

More resources

Citations

  1. Deduping Data Matters: The Hidden Costs of Duplicate Data. (2017). Peopledatalabs.com. Retrieved 22 August 2017.

Meet our author

Nicola McCoy

Managing Consultant, Planview

Nicola McCoy has over 20 years experience working within information security, enterprise architecture, global technology, and enterprise software roles. She has deep experience in helping organisations to understand operational resilience, information security, and how to manage risk within a connected enterprise, while communicating their current risk posture to senior (C-level) stakeholders. Nicola works with many of our customers to implement solutions that support recording, reporting and analyzing risk across the enterprise. Prior to working for Planview, Nicola was a key member of the Global IT Security and Global IT functions within PricewaterhouseCoopers where she was a thought leader in information security policy, strategy, and standards.