Governance, Risk Management, and Compliance blog

Continuous Compliance with the GDPR

[fa icon="calendar"] Tuesday, 25 April 2017 / by Jakob Holm Hansen

Climbing that mountain of compliance, over and over again.

GDPR has been with us since 2018, and some are still panicking. Becoming compliant and staying compliant are two very different things. In this blogpost, I will highlight the difference between the two and how to tackle the challenges that may arise along the way.

For the better part of a year, we have all been told that the EU GDPR is here, and that we will need to live up to a host of new requirements. The fear mongers have also told us about the huge fines we will be subject to, and just how far away from being compliant we all are.

So, there has been a lot of talk about what the requirements we will be hit with are, but there has not been as much talk about how to actually run an implementation project. And a lot of that talk is based on interpretations of the regulation and - in many cases - an unfounded over-implementation of the regulation.

An example of this is the overly elaborate data flow diagrams we have been told we need to create (incidentally, usually by consultants who can charge us for the hours to create said diagram for us) - even though there is not one single mention of a dataflow diagram in the regulation.

 

Compliance: An Ever-Elusive Target

We try to promote the pragmatic approach. Because what most people don’t realise is that this proverbial mountain of compliance we are climbing during implementation - we will have to climb every year. This is because we need to stay compliant in a world that is constantly evolving:

  • Our organisation changes
  • We acquire new information and knowledge
  • Technology changes
  • The way we use technology changes
  • Our customers/citizens change
  • Our surroundings change

In other words, staying compliant is a moving target. And since we have to revisit our governance and compliance, we need to make sure our approach is pragmatic, agile and maintainable. Unfortunately there has been very little talk about how to ensure continuous compliance. In my opinion, there is only one way to even have a chance of ensuring continuous compliance: overview!

Overview Is Everything

Overview is the foundation of continuous compliance. If we don't know what processes need to be executed, and what the status and quality of those processes are, we are basically just fumbling in the dark with no chance of success.

Building on that foundation of overview, we are big advocates of managing all of your governance and compliance programme in a system built just for that. That in itself will help you maintain that crucial overview, but it will also greatly increase your efficiency in carrying out the different activities in your compliance programme.

That’s why we have created our GRC platform incl. GDPR and data protection work areas to provide you with that crucial overview. Moreover, the software will give you an efficient way of ensuring compliance, by providing you with:

  • A dashboard for your DPO or implementation team, giving them a compliance overview
  • Quality content, so you won’t have to start from scratch
  • A way to map an overview (or data flow mapping, if you insist) of personal data in your organisation
  • DPIA functionality
  • Registration and handling of data breaches
  • Gap analysis of your compliance level
  • Quizzes and educational movies for employees and managers

Of course, it is possible to build your compliance programme in documents and spreadsheets instead, but you will have a really hard time maintaining that programme afterwards - we all know how quickly you lose sight of what’s what in different documents that several people can access and edit. That is the ugly truth the consulting firms won't tell you when they leave you after the implementation project. They will simply leave you with a big, stinking pile of - paper.

 

Emner: compliance, eu general data protection regulation, eu gdpr

GRC blog

The NorthGRC blog offers advice and knowledge of effective information security management, security strategies, risk management, compliance with information security standards and other requirements, business continuity planning, ISO2700x, EU Data Protection Regulation, PCI DSS, etc.

Popular Posts