Creating structured GDPR compliance documentation

23 Apr 2018

by Magnus Valmot

GDPR is an ongoing process, so having accurate documentation that can be easily updated is crucial.

We’ve met with any number of companies, large and small, working towards GDPR compliance. We didn’t start out as GDPR experts, but we’ve learned a lot from our customers about the common challenges that companies face now, are likely to face going forward, and the mistakes that can be made when getting started with a complex compliance project.

At a high level, we’ve learned three key lessons:

  1. Compliance is a continuous process, not a periodic one
  2. It’s important to involve domain experts in your organization to help get an accurate understanding of the current status of systems and processes
  3. If you think structured with your compliance documentation, not only will it make the compliance process easier, it will also empower you to use the data you collect for other digital transformation initiatives

This post will explore why creating structured compliance documentation is the best approach for your business.

Be structured

GDPR compliance impacts every part of an organization. Not only that, it's a continuous process, and will likely alter the organization's culture and how it operates. When going through such a process, it’s essential to be able to accurately document what you’ve done.

Documenting your GDPR compliance in a structured way will make it easier to discover and prioritize compliance gaps, and lay the foundation for value-adding projects beyond GDPR.

Structured vs. unstructured data

The first step of creating structured documentation is to identify the important attributes of an object. For example, when documenting an application, you'll want to know if it processes personal data. When documenting personal data, you'll want to know if consent was gathered.

These attributes should have defined input types, and include any relevant restrictions. Knowing what values an attribute may have makes analysis easier, and will ultimately give you greater confidence in the accuracy of the documentation.

One example of unstructured data would be a Word document; even if all the important information is present, it would be difficult to, for example, compare the number of data subjects in one document to another, or to sort the data. Even when using a structured tool like Excel, it's possible to enter data in an unstructured way.

Design-documentation-for-reusability

Design documentation for reusability

In the process of documenting your GDPR compliance, you'll be collecting information about the core of your organization, and subsequently finding out what makes it tick, and what makes it competitive. Personal data drives most organizations, whether B2C or B2B, while things like HR data and customer/vendor data are key to competitive success.

If you're investing the time to document these things for GDPR compliance, why not design the documentation in such a way that it's reusable for future projects?

In addition to making data analysis more straightforward, structured documentation makes it much easier to import your data into other tools in the future, reducing the amount of time needed to get started with new projects. Unstructured data, on the other hand, offers very little reusability.

Value beyond GDPR compliance

GDPR requires an understanding of core business processes, applications, and infrastructure. The high-risk nature of GDPR means that most organizations will make compliance a top priority. Leveraging GDPR focus to create structured, up-to-date documentation can lay the foundations for:

  • Performing risk analysis
  • Identifying the biggest challenges in a digitalization process
  • Changing IT vendors

These are all small wins, but they add up to reduce the total cost of ownership of your compliance documentation. Take steps now to design a structured GDPR compliance documentation strategy, and your business will reap the benefits.

Where Ardoq fits in

In order to realize the benefits of GDPR compliance, you first need to get a clear understanding of what personal data exists in your organization, where it’s used and stored, who has access, and the reason for having it.

Ardoq allows you to create structured documentation of all of this data, then use it to generate up-to-date visualizations, and run automated gap analysis to spot potential issues early on.

New call-to-action