When it comes to compliance, half of the battle can be won by having in place the right tools for the job.
Recently, we have been working closely with our partner, Capgemini, to help a shared client in its journey towards GDPR compliance. This process provided valuable insights into how similar projects have traditionally used fragmented tools - Excel, PowerPoint and Visio, for example - to gain an overview of expansive and complex projects. And, while these tools all have their own strengths and purposes, when used in this type of scenario, teams are setting themselves up for failure.
GDPR compliance gap analysis
To begin the task, the client looked at all domains, processes, and supporting application services across its international organization. With regard to each of these, there was a need to identify:
- What type of data was being handled
- What legal basis supported that handling
- The specific purpose it served
Then, the level of compliance with each of the GDPR principles was assessed. Compliance gaps, as well as areas requiring additional investigation, were subsequently noted and documented. And, it is worth stating here that that regardless of the method of data collection, the tool used to record the data is of critical importance.
“Working with Ardoq over the last 12 months has been an eye-opener. The level of insight we get by using Ardoq helps us to understand and discuss our concerns in a meaningful way. Having everything documented and up-to-date in Ardoq has been a game changer.”
- (Thorbjørn Ellefsen, Cybersecurity Lead, Capgemini Norway)
Where simple tools falls short
When considering the needs of someone creating documentation for GDPR compliance, there are some key requirements:
Documenting information about the personal data flowing through your organization – from servers and emails, to sales and marketing departments – requires input from multiple stakeholders. Using a tool with in-built collaborative features as standard is far more beneficial than sharing a solitary Excel document, and hoping that everyone is using the latest version.
2. Audit trail
Being able to access the history of documentation, and acknowledge changes that have been made and the reasons why, can be incredibly useful. If, for example, an auditor uncovers a noncompliant area that you thought you were compliant in, it will be beneficial to be able to track changes so as to explain what happened, who’s responsible, and what can be done to remedy the situation.
3. Clear visuals
Excel visualizations can be powerful, but without complex customizations and coding, interactivity is limited. More dynamic visualizations offer the capacity to explore large datasets, and identify issues or insights that could otherwise be easily overlooked.
4. Reusable data
If a project is narrow in scope, time, and resources, a one-person team with Excel can go a long way. However, as soon as an element of collaboration is introduced, Excel sheets become difficult to manage. Given the scope of a GDPR compliance project, there will likely be a vast number of Excel sheets created, as well as supporting Word docs and visualizations. Managing file versions in such instances can become a full-time job in itself, and is in no way efficient.
Reasons for using Ardoq
Our partner wanted to deliver living documentation which would be the foundation of the client’s GDPR documentation, and could be regularly maintained for accuracy.
Another key goal was giving the client the ability to garner a high-level overview. Ideally, the compliance team wanted to use values or metrics to prioritize next actions for compliance gaps, based on risk and impact. Attempting to do this via Word or Excel proved to be incredibly difficult.
This is where Ardoq came in.
We created standardized GDPR templates and an implementation guide in Ardoq. These resources gave the client everything they needed, in-app, to create the relevant GDPR documentation.
The documentation process
By moving project documentation into Ardoq, the client team was able to present a clear audit trail detailing observations, changes, and decisions taken to attain compliance. In the event of an external audit, the team now has the capacity to confidently present this process through interactive visualizations and in-depth descriptions to explain the current situation, as well as future plans on the path to compliance.
Implementing GDPR templates
Following discussions with the client and its data owners, we developed Ardoq models to answer the key questions they would need to answer on the path to compliance. By documenting the client’s data using the GDPR templates, we could quickly visualize and answer the following:
- What type of personal data is being collected in each process?
- What is the current assessment of the processes’ compliance with individual GDPR principles?
- Which GDPR principles are most troublesome when it comes to compliance?
- Which gap observations on application services have the largest impact?
Below is an embedded Ardoq presentation showing each of these questions alongside a diagram answering them.
Documenting your own data with Ardoq’s GDPR templates
You can get access to our GDPR templates, instructions, and an in-app copy of the GDPR regulations. Visit this page to learn more.
Download now the New Enterprise Architecture Magazines by Ardoq: