Organizations serving European consumers have been subject to GDPR since May 1, 2018, when the regulation went into effect.
That was a momentous date, both for consumers and for the organizations serving them. It also marked a time for action: the urgency of the deadline, the substantial risks of non-compliance, and the complexity of the GDPR process called on organizations to accelerate their planning, assess their current compliance posture, create a timeline for achieving compliance, and prepare for an audit. This urgency also spawned a number of solutions for helping organizations manage and track compliance and to build an information governance framework.
A recent story from CIO magazine, titled “The 5 Biggest Compliance Headaches,” notes that there are free tools to help companies with compliance. In fact, free tools, often spreadsheet-based, are intended for tracking compliance and are a step in the right direction. But most such tools have proven to be rudimentary, simply providing a repository for compliance data.
Broader toolkits also came to market for specialized aspects of GDPR, roughly divided into categories for assessment, implementation, and maintenance of compliance. One such tool is said to “equip privacy officers with the resources necessary to understand, assess, and develop a plan to achieve demonstrable GDPR compliance.” But such approaches, often called “point solutions,” have proven to fall short of helping organizations adhere to the broad scope of requirements for reaching, maintaining and documenting compliance.
More comprehensive, enterprise-class platforms, such as Odaseva, treat and automate virtually the most critical aspects of compliance. And these tools also document compliance, which is critical in any kind of regulation where failure to comply could result in disclosure of personal data, not to mention steep penalties, and could tarnish a company’s reputation.
The challenge is this: GDPR is so multifaceted that many data protection officers see these tools as interim solutions along the spectrum towards more comprehensive offerings that would not only monitor but also document and provide the reporting that is required by auditors.
GDPR is all about data—who can store it, access it, view it, and process it. And it’s designed to allow customers to have their personal data removed from corporate databases. “Answering questions like what data a company has, how it’s collected, what exactly is done with it and how long it is kept, will go a long way to assisting GDPR compliance,” said Eugene Tyrrell, a senior consultant in risk, security and privacy, in a recent story in TechTarget.
Unfortunately, in most modern businesses, data management is decentralized. An individual’s data may be stored in a variety of locations, making a process like finding all a customer’s data and correcting or erasing it tedious and manual. Fortunately, automation can greatly simplify data processes.
An automated solution can trigger automated processes to handle GDPR requirements while also maintaining the detailed logs that auditors want to see. And it can also automatically produce the reports and audit logs needed for proving compliance.
As an example of GDPR’s complexity, the depth and breadth of detail around privacy provides a view into just how structured and comprehensive a solution must be to ensure compliance.
The broad functionality of the Odaseva platform illustrates the value of automation.
For example:
Integration is also a benefit of an automated solution. For example, Odaseva also has the flexibility to integrate with any other system or application that touches a customer’s data by exposing an API. If a customer requests access to personal data, the fact that it’s stored in the cloud, on-premises – even in a legacy database – is no obstacle.
But, in the move to developing a comprehensive information governance framework, it’s important to recognize the limitations of tools that come integrated into applications in which organizations store their data.
As an example, 75% of enterprises keep their data in Salesforce. And Salesforce customers rightly expect that any enterprise-class CRM application will encompass privacy or security features needed to establish compliance.
But the truth is that, while Salesforce provides its own, integrated compliance tools, customers remain responsible for protecting personal data from their own mistakes in using backup and restore – a key component of compliance – minimizing personal data in developer sandboxes, or even automating data subjects’ rights such as the GDPR Right to be Forgotten.
And so, the watchword is to use compliance automation to your advantage and keep in mind that an audit may be just around the corner.