Are you willing to waste $1 million annually on GDPR compliance?

14 May 2018

by Petteri Vainikka

GDPR compliance is high on the agenda of all EU businesses, but are you adequately prepared? And could enhancing your processes save you vast sums of money?

As everyone is starting to realise, May 25 2018 is not the GDPR deadline — it’s the kick-off. For GDPR compliance with associated investment in people and tooling, this means that whatever your organization has invested in becoming GDPR compliant thus far will most likely transform into an ongoing compliance cost.

In fact, in December 2017, Forrester predicted that maintenance budgets for GDPR and ePrivacy compliance are larger than initial budgets — and anticipates they’ll only get larger. Forrester further added that 58% of enterprises expect an annual maintenance budget of over $1 million, and a whopping 88% anticipate an annual maintenance budget above $500,000. Clearly, regulatory compliance with the GDPR has a material GRC budget impact, and cannot be sidelined as a mere one-off legal and/or consultancy expense.

“May 25 2018 is not the GDPR deadline — it’s the kick-off”

Of course, the vast majority of GDPR compliance cost is due to associated people cost. This is both direct (dedicated DPO or equivalent) and indirect (repetitive disturbances from cumbersome GDPR data mapping and documentation needs on business process, data, and application owners and users), and is in many cases exacerbated by a lack of suitable tooling. The result is unnecessary complexity, confusion, and workload for everyone.

The GDPR Article 30 requires that a Data Controller ”shall maintain a record of processing activities under its responsibility”. Article 30 compliance can of course be demonstrated quite simply by small organizations with few processing activities and limited data traffic, but most medium and large organizations face a very different scenario.

For organisations providing a diverse range of services and products to hundreds of thousands of customers, with technologies that vary from service to service, country to country, and office to office, ’simple’ is a rarely-used term.

Office-to-office

Operationalising GDPR compliance

“Initial data flow mapping work identified 200+ processes in scope for GDPR compliance, and the detail of each needs to be documented and kept up-to-date continuously.”
- Ardoq customer

How can larger organizations operationalise GDPR compliance cost-efficiently and with minimal disturbance to business operations, and to those responsible for product and service P&L?

In February 2018, market analyst Gartner predicted that by 2021, more than 60% of large organizations will have a privacy management program fully integrated into the business, and that already by 2019, half of the world's large companies that process personal data will perform privacy impact assessments. However, despite this, only 10% will have a defined, automated PIA process in place.

“Clearly automation, two-way reusability of data mapping and documentation, ease of gap discovery, and no-UI data input ability are key to cost-efficient GDPR compliance”

Are you approaching GDPR compliance correctly?

In our research, several things stand out as critical success factors. Clearly, automation, two-way reusability of data mapping and documentation, ease of gap discovery, and no-UI data input ability are key to cost-efficient GDPR compliance. Attempts to manually solve (via Excel, for example) the GDPR’s challenges simply fall short, as do attempts with unsuitable tools. We’ve compiled a list of things to look out for to help you get started, and to assess your current GDPR compliance approach.

GDPR-compliance

Watch out for these warning signs:

  • Data flow mapping methods and hosting solutions are not capable of accurate and timely reporting of data flows
  • Methods prescribed by external consultants do not support actual business process improvement or data minimisation
  • Solution does not support out-of-the-box visualization of data flows that are understandable to business process owners
  • Visualizations of data flows show only basic metadata, with no ability to drill down into the maps
  • Metadata which would allow for effective risk management is not supported
  • Solution does not support out-of-the-box collaboration and stakeholder involvement, including no-UI data input ability
  • Audit logs, user rights management, and change management are limited or lacking entirely

Look for these positive indicators:

  • Easy to engage multiple business process owners and other data handling stakeholders without need for new software training
  • Wide range of out-of-the-box data flow, process flow, criticality landscape, and other visualizations
    All visualizations are auto-generated and offer the ability to drill into the maps
  • Supports automated gap analysis, customizable by business process criticality as well as data classification severity
  • Enterprise grade user authentication security options, audit and tracking capabilities
  • Ready yet customizable templates for GDPR data mapping and DPIA assessment and automation
  • Supports and integrates with other security, quality, process, and IT management solutions already in use
    Has full RESTful API

Download now the New Enterprise Architecture Magazines by Ardoq:

New EA Magazine - GDPR Edition                      NEW EA Magazine - EA Edition