You’ve Achieved GDPR Compliance—Now What?
General Data Protection Regulation (GDPR). Most of us remember the months and weeks leading up to the deadline. We did whatever needed to be done to achieve compliance.
Now it seems like a distant memory. And the pressure is mostly off. But in other ways, it was just the beginning. As you continue creating your day-to-day compliance strategy, you might find that the tactics that got you to the finish line were more short-term solutions that won’t necessarily stand long-term.
“Companies are resorting to temporary controls and manual processes to ensure compliance until they implement more permanent IT solutions… Much work remains to be done after the May deadline if businesses are to overcome challenges like these and develop solutions that are sustainable in the long term.”
—McKinsey & Company
To ensure you can sustain GDPR compliance for the long haul, you may need to dig deeper into four key areas: compliance framework, incident management, request management, and executive visibility.
Compliance Framework
Compliance for your organization might look like most others’: pieced together manual solutions and workarounds, like spreadsheets. But continuing to use inefficient and ad hoc governance and management methods can put you at great undue risk.
Companies can be fined up to 4% of their annual global revenue or €20 million, whichever is higher, if they fail to comply with GDPR standards.
Given the potentially devastating fines associated with non-compliance, spreadsheets simply aren’t a sustainable solution. You need a simple way to map GDPR articles—like those detailing consent (7), data access (15, 16, 17, 20), protection (25), and security (32)—to company controls to ensure you have your bases covered.
Request Management
While it has many layers, GDPR is ultimately about personal data control. Providing your data subjects with access to the data you store about them and giving them control over how that data is used (Articles 15-20) are the bedrocks of the regulation.
“…companies will need to ensure they have enough staff, adequate training, an appropriate process, and a ticket system equipped to handle related requests.” —McKinsey & Company
Because it’s also the most consumer-facing piece of the compliance puzzle, your ability to enable and manage access to personal data is critical. While the guidance around how you do this may be fuzzy, the rules of engagement are straightforward. Those who deliver the best customer experience through a simple self-service portal will win. And those who don’t risk losing customers to more able competitors.
Executive Visibility
GDPR requirements around data protection impact assessments (DPIAs)—like those detailed in Articles 35, 37, 38, and 39—can’t be sustained by cutting corners. If you’re relying on disparate and/or manual systems for aspects of GDPR, you’ll also be challenged by the regular data audits, reviews, and data management exercises needed to maintain compliance.
You need to provide executive management and your data protection officer (DPO), if applicable, a unified view of compliance governance and management. Beyond compliance, your visibility into the numbers and types of requests and incidents you’re managing is key to performing ongoing risk assessments and gap analysis, so you can streamline and refine your compliance posture.
As an IT pro, you’re no stranger to the challenge of data privacy and protection. But GDPR adds a whole new layer to your security governance and risk management requirements. More than ever, you need your service desk and security procedures to be tightly coupled.
Ivanti Neurons for Governance, Risk & Compliance (GRC) integrates a set of enterprise security management capabilities that address the demands of both security and service desk leaders. When you rely on the Ivanti Neurons for GRC for your data governance and management, you can:
- Simplify mapping of GDPR articles to your security controls.
- Streamline your security compliance, easing the burden of your next audit.
- Accelerate security event and incident handling to aid your compliance.
- Extend self-service portal capabilities to provide data subject access.
- Automate risk assessments to better anticipate and mitigate risk.
You’ve achieved GDPR compliance. Now, it’s time to make it sustainable.
Want to learn more? Join us on December 2nd to hear from leading GRC experts on how you can manage risk proactively to minimize chances of security breaches, attacks and data theft.
Reserve Your Spot
McKinsey & Company quotes sourced from: Daniel Mikkelsen, Henning Soller Malin, Strandell-Jansson, Marie Wahlers, “GDPR compliance after May 2018: A continuing challenge,” McKinsey & Company, April 2018.