Continuous Compliance with the GDPR

Climbing that mountain of compliance, over and over again

GDPR has been with us since 2018, and some are still panicking. Becoming compliant and staying compliant are two very different things. In this blog post, I will highlight the difference between the two and how to tackle the challenges that may arise along the way.

For the better part of a year, we have all been told that the EU GDPR is here, and that we will need to live up to a host of new requirements. The fearmongers have also told us about the huge fines we will face and just how far away from compliance we all are.

So, there has been a lot of talk about the requirements we will face, but not as much about how to actually run an implementation project. And a lot of that talk is based on interpretations of the regulation and, in many cases, an unfounded over-implementation of the regulation.

An example of this is the overly elaborate data flow diagrams we have been told we need to create (incidentally, usually by consultants who can charge us for the hours to create said diagram for us) - even though there is not one single mention of a dataflow diagram in the regulation.

Compliance: An Ever-Elusive Target

We try to promote the pragmatic approach. What most people don’t realise is that the proverbial mountain of compliance we are climbing during implementation, we will have to climb every year. This is because we need to stay compliant in a world that is constantly evolving:

• Our organisation changes
• We acquire new information and knowledge
• Technology changes
• The way we use technology changes
• Our customers/citizens change
• Our surroundings change

In other words, staying compliant is a moving target. And since we have to revisit our governance and compliance, we need to make sure our approach is pragmatic, agile and maintainable. Unfortunately, there has been very little talk about how to ensure continuous compliance. In my opinion, there is only one way to even have a chance of ensuring continuous compliance: an overview!

Overview Is Everything

Overview is the foundation of continuous compliance. If we don't know which processes need to be executed and what their status and quality are, we are basically fumbling in the dark with no chance of success.

Building on that foundation of overview, we are big advocates of managing all of your governance and compliance programme in a system built just for that. That in itself will help you maintain that crucial overview, but it will also greatly increase your efficiency in carrying out the different activities in your compliance programme.

That’s why we have created our GRC platform, including GDPR and data protection work areas, to provide you with that crucial overview. Moreover, the software will give you an efficient way of ensuring compliance by providing you with:

• A dashboard for your DPO or implementation team, giving them a compliance overview
• Quality content, so you won’t have to start from scratch
• A way to map an overview (or data flow mapping, if you insist) of personal data in your organisation
• DPIA functionality
• Registration and handling of data breaches
• Gap analysis of your compliance level
• Quizzes and educational movies for employees and managers

Of course, it is possible to build your compliance programme in documents and spreadsheets instead, but you will have a really hard time maintaining that programme afterwards - we all know how quickly you lose sight of what’s what in different documents that several people can access and edit. That is the ugly truth the consulting firms won't tell you when they leave you after the implementation project. They will simply leave you with a big, stinking pile of - paper.