The EU’s new General Data Protection Regulation (GDPR) sets forth a “lawful basis” for collecting and processing personal information. It will require most organizations to significantly improve data management and security, but most organizations are not ready to comply, especially with the requirement to demonstrate compliance. Fortunately, a company’s existing GRC tools, which are designed as central repositories for documenting and reporting on internal governance activities, can help organizations quickly implement the tracking processes necessary to demonstrate compliance.
Personal information is an increasingly valuable – and risky – business asset. Organizations want to collect as much personal information as possible to support better decision making and an improved customer experience. However, the fear of identity profiling, along with high-profile cyberattacks, has caused increasing concern about how to protect this information. The EU’s General Data Protection Regulation (GDPR), which went into effect in May of this year, aims to add privacy protections for all individuals currently residing in the EU, whether they are citizens or not. It also impacts most organizations around the world that are collecting or processing data about EU residents, even if the organization does not have a physical presence in the EU.
The regulation sets forth a “lawful basis” for collecting and processing personal information and will require most organizations to significantly improve data management and security. Yet, according to multiple surveys, most organizations are not ready to comply, even though a compliance failure can be expensive, up to 4 percent of annual global turnover or €20 million, whichever is greater, and will likely result in damage to reputation and undesirable notoriety.
One of the trickiest areas of the regulation is that organizations must be able to demonstrate compliance. Think of it this way: a police officer typically needs to catch you speeding before giving you a ticket. But what if instead, you needed to prove that you had not sped during your entire drive? That’s the challenge of GDPR.
How GRC Tools Can Help
GDPR has added specific rules and regulations that must be followed regarding collecting and processing personal information. These include enabling EU residents to have the collected information deleted, alerting both impacted residents and supervisory authorities of a breach, and, as noted above, demonstrating to supervisory authorities the ability to comply. Fortunately, most organizations have already deployed Governance, Risk and Compliance (GRC) tools to support their compliance with financial regulations. Because these tools are designed as central repositories for documenting and reporting on internal governance activities, they can easily be used to help organizations track compliance with key requirements of the GDPR. Further, companies that have not yet deployed GRC tools to track financial regulatory compliance, can now kill two birds with one stone.
The key GDPR requirements that GRC tools can support include the following.
Maintaining the mandatory inventory of processing activities – Article 30 of the GDPR, Records of Processing Activities, requires controllers (organizations that collect and process personal information) to keep a record of activities related to the information they process. This information includes the purpose of the processing, the types of personal information involved, the categories of recipients the information will be shared with, and more. Processors (organizations that process personal information on behalf of a controller) must also keep records related to the controllers they work with, categories of processing for each controller, the transfer of personal information internationally, and more.
Documenting privacy and data protection impact assessments – Article 35 sets out various requirements for conducting and documenting privacy and data protection impact assessments. These assessments must include at least a description of the processing operation and purpose, the necessity and proportionality of the processing operation in relation to the purpose, the risk to the rights and freedoms of the data subjects, and the measures taken to address the risks.
Maintaining a central repository of documentation and evidence related to the privacy control framework, evaluation of control design, and testing of operating effectiveness of controls – As noted above, complying with the GDPR requires being able to demonstrate compliance. As such, organizations must develop a control framework for the management activities it will use to ensure compliance. The framework and all the activities related to evaluating and testing the framework need to be documented in a central repository.
Maintaining a central repository of data breaches and breach impact evaluations – As with the control framework, all activities related to experiencing a breach, evaluating why the breach occurred, and the response to the breach must be documented.
Creating reports for breach notifications and to provide evidence of compliance – Within 72 hours of becoming aware of a breach involving personal data, a controller must notify a supervisory authority. The notification must include at least a description of the nature of the breach, the categories and approximate number of data subjects impacted, an estimate of the total number of data records involved, the likely consequences of the breach, and the measures taken or to be taken to address the breach.
One Tool for Faster, Simpler Risk Management
With flexible centralized repositories and reporting capabilities, a GRC tool is an excellent solution for developing the ability to demonstrate compliance as required by the GDPR. And using an existing GRC tool to support GDPR compliance has two additional benefits. First, it will likely reduce costs related to deployment, configuration and maintenance since the organization already has resources familiar with configuring the tool, and the cost may simply involve increasing the number of users or licenses. Second, and even more important, familiarity with the tool will likely mean faster time to deployment and a shorter time to deployment means faster time to compliance.
The GDPR may well be the tip of a very large iceberg of new privacy regulation. This means developing privacy compliance processes using a flexible GRC tool may be one of the best long-term investments an organization can make.
Tjakko de Boer is a director in the Technology Consulting practice at Protiviti, a global consulting firm. He has more than 20 years of experience in information security and privacy, IT governance and IT audit services. He has been leading multiple client engagements for GDPR compliance and audits in Europe.
