Monday, January 25, 2021
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Data Privacy

Making GDPR Compliance Easier with a GRC Tool

by Tjakko de Boer
June 1, 2018
in Data Privacy, Featured
Making GDPR Compliance Easier with a GRC Tool

The EU’s new General Data Protection Regulation (GDPR) sets forth a “lawful basis” for collecting and processing personal information. It will require most organizations to significantly improve data management and security, but most organizations are not ready to comply, especially with the requirement to demonstrate compliance. Fortunately, a company’s existing GRC tools, which are designed as central repositories for documenting and reporting on internal governance activities, can help organizations quickly implement the tracking processes necessary to demonstrate compliance.

Personal information is an increasingly valuable – and risky – business asset. Organizations want to collect as much personal information as possible to support better decision making and an improved customer experience. However, the fear of identity profiling, along with high-profile cyberattacks, has caused increasing concern about how to protect this information. The EU’s General Data Protection Regulation (GDPR), which went into effect in May of this year, aims to add privacy protections for all individuals currently residing in the EU, whether they are citizens or not. It also impacts most organizations around the world that are collecting or processing data about EU residents, even if the organization does not have a physical presence in the EU.

The regulation sets forth a “lawful basis” for collecting and processing personal information and will require most organizations to significantly improve data management and security. Yet, according to multiple surveys, most organizations are not ready to comply, even though a compliance failure can be expensive, up to 4 percent of annual global turnover or €20 million, whichever is greater, and will likely result in damage to reputation and undesirable notoriety.

One of the trickiest areas of the regulation is that organizations must be able to demonstrate compliance. Think of it this way: a police officer typically needs to catch you speeding before giving you a ticket. But what if instead, you needed to prove that you had not sped during your entire drive? That’s the challenge of GDPR.

How GRC Tools Can Help

GDPR has added specific rules and regulations that must be followed regarding collecting and processing personal information. These include enabling EU residents to have the collected information deleted, alerting both impacted residents and supervisory authorities of a breach, and, as noted above, demonstrating to supervisory authorities the ability to comply. Fortunately, most organizations have already deployed Governance, Risk and Compliance (GRC) tools to support their compliance with financial regulations. Because these tools are designed as central repositories for documenting and reporting on internal governance activities, they can easily be used to help organizations track compliance with key requirements of the GDPR. Further, companies that have not yet deployed GRC tools to track financial regulatory compliance, can now kill two birds with one stone.

The key GDPR requirements that GRC tools can support include the following.

Maintaining the mandatory inventory of processing activities – Article 30 of the GDPR, Records of Processing Activities, requires controllers (organizations that collect and process personal information) to keep a record of activities related to the information they process. This information includes the purpose of the processing, the types of personal information involved, the categories of recipients the information will be shared with, and more. Processors (organizations that process personal information on behalf of a controller) must also keep records related to the controllers they work with, categories of processing for each controller, the transfer of personal information internationally, and more.

Documenting privacy and data protection impact assessments – Article 35 sets out various requirements for conducting and documenting privacy and data protection impact assessments. These assessments must include at least a description of the processing operation and purpose, the necessity and proportionality of the processing operation in relation to the purpose, the risk to the rights and freedoms of the data subjects, and the measures taken to address the risks.

Maintaining a central repository of documentation and evidence related to the privacy control framework, evaluation of control design, and testing of operating effectiveness of controls – As noted above, complying with the GDPR requires being able to demonstrate compliance. As such, organizations must develop a control framework for the management activities it will use to ensure compliance. The framework and all the activities related to evaluating and testing the framework need to be documented in a central repository.

Maintaining a central repository of data breaches and breach impact evaluations – As with the control framework, all activities related to experiencing a breach, evaluating why the breach occurred, and the response to the breach must be documented.

Creating reports for breach notifications and to provide evidence of compliance – Within 72 hours of becoming aware of a breach involving personal data, a controller must notify a supervisory authority. The notification must include at least a description of the nature of the breach, the categories and approximate number of data subjects impacted, an estimate of the total number of data records involved, the likely consequences of the breach, and the measures taken or to be taken to address the breach.

One Tool for Faster, Simpler Risk Management

With flexible centralized repositories and reporting capabilities, a GRC tool is an excellent solution for developing the ability to demonstrate compliance as required by the GDPR. And using an existing GRC tool to support GDPR compliance has two additional benefits. First, it will likely reduce costs related to deployment, configuration and maintenance since the organization already has resources familiar with configuring the tool, and the cost may simply involve increasing the number of users or licenses. Second, and even more important, familiarity with the tool will likely mean faster time to deployment and a shorter time to deployment means faster time to compliance.

The GDPR may well be the tip of a very large iceberg of new privacy regulation. This means developing privacy compliance processes using a flexible GRC tool may be one of the best long-term investments an organization can make.


Tags: GDPR
Previous Post

Text Messaging Can Expose Your Company to Significant Risks

Next Post

Design a Training Program that’s Right for Your Third Parties

Tjakko de Boer

Tjakko de Boer is a director in the Technology Consulting practice at Protiviti, a global consulting firm. He has more than 20 years of experience in information security and privacy, IT governance and IT audit services. He has been leading multiple client engagements for GDPR compliance and audits in Europe.

Related Posts

illustration of mafia man in silhouette with red tie

The Mafia’s Jackpot: How Criminal Organizations are Profiting from COVID-19

January 22, 2021
illustration of videoconference, screen and speech bubbles

New Risks as COVID-19 Forces Rapid Technology Adoption

January 21, 2021
silhouette of businesspeople in meeting with blue cyber background

Cyber Risk Quantification and Prioritization is the Future of GRC

January 20, 2021
miniature airplane on global currency

FinCEN’s Proposed Changes to the Recordkeeping and Travel Rule Thresholds

January 20, 2021
Next Post
Design a Training Program that’s Right for Your Third Parties

Design a Training Program that’s Right for Your Third Parties

Access realtime data
Dynamic Risk Assessments with Workiva

Special Coverage

Special COVID page graphic

Jump to a Topic:

anti-corruption anti-money laundering/AML Artificial Intelligence/A.I. automation banks board of directors board risk oversight bribery CCPA/California Consumer Privacy Act Cloud Compliance communications management Coronavirus/COVID-19 corporate culture crisis management cyber crime cyber risk data analytics data breach data governance decision-making diversity DOJ due diligence fcpa enforcement actions financial crime GDPR GRC HIPAA information security internal audit KYC/know your customer machine learning monitoring ransomware regtech reputation risk risk assessment Sanctions SEC social media risk technology third party risk management tone at the top training whistleblowing
No Result
View All Result

Privacy Policy

Follow Us

  • Facebook
  • Twitter
  • LinkedIn
  • RSS Feed

Category

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Whitepapers

© 2019 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
  • Articles
  • Vendor News
  • Podcasts
  • Videos
  • Whitepapers
  • eBooks
  • Events
  • Jobs
  • Subscribe

© 2019 Corporate Compliance Insights