A Simple Four-Pillar Approach To Structuring GDPR Programs

Evelyne Salie

In a GDPR project or any data privacy-related enterprise project, there are many ways to start and structure it. We’ll find as many individual approaches as there are companies that are managing data privacy requirements – all of them contributing to good results in good faith. Therefore, there is no wrong approach per se.

Knowing that comprehensive data protection and privacy management call for orchestrated activities within processes, organizations, and heterogeneous system landscapes, a strategic plan and architecture (avoiding uncoordinated individual activities) sounds beneficial.

In addition, as companies start exploring new business models and evolving their digital transformation strategy, it might be wise to think about including a sustainable data protection and privacy management architecture into that transformation journey.

I don’t want to introduce another new GDPR/data protection and privacy framework today. But it might be worthwhile to think through the following systematic approach and use it as a kind of cross-check from another perspective. The listed capabilities aren’t meant to be complete but can motivate you to check the status of your project and help you see how to improve its setup and tools.

The environment

Keep in mind that in a GDPR/data privacy project, companies need a methodology to consolidate the various impacts of heterogeneous system landscapes, analysis of business processes where personal data is being processed, and change management within the organization.

1. The ultimate base: data security

Dealing with any kind of personal data requires proper security management, and data breach data security is a prerequisite. The foundation covering these aspects:

  • Analysis of critical and sensitive access to personal data
  • Compliant authorization concept, incorporate policies in provisioning processes
  • Limited and fine-grained access management by using attributes to define specific policies
  • Identity management, customer identity management
  • Monitoring and reporting of data privacy incident/breach metrics (nature of breach, risk, root cause)
  • User interface (UI) loggings
  • Third-party risk management

2. Governance and accountability

Governance and accountability focus on monitoring organizational readiness with questionnaires and assessments, prioritize requirements for compliance, and provide executive-level visibility with detailed reports:

  • Maintain inventory of personal data holdings: what and where personal data is held and processed
  • Conduct risk assessment for enterprise data privacy impacts
  • Maintain corporate data privacy policies, including employee data privacy policies
  • Conduct employee training and certifications
  • Document legal requirements, ownership, purpose, and integration into internal control system
  • Report and monitor risks, controls, and compliance status
  • Integrate internal and external audit process

3. Data management

In this context, data management is all about establishing the technical capabilities to discover, localize, and visualize personal data categories and flows to manage data subjects’ consent and other preferences:

  • Identification and categorization, tagging, indexing, and mapping of personal data
  • Managing procedures for blocking, rectification, deletion, and archiving of personal data
  • De-personalization: encryption, pseudonym-izing
  • Data minimizing (UI masking and so on)
  • Cross-border data transfer, including controls, geo-fencing
  • Data flow analysis

4. Enterprise interactions

In order to handle a data subject’s consent and other requests, as well as interactions with authorities, companies will need a portal that provides services like:

  • Consent management for data subjects, grant and revoke consent
  • Receive and acknowledge privacy notices
  • Authority interactions
  • Customer preference management
  • Access to personal data requests
  • Breach-notification handling, maintain a data privacy incident/breach response plan

Bottom line

Yes, there are many other ways to structure your program, but I think it’s worth at least having a deeper look at it. And remember:

  • Be open for innovations: integrate a program into your digital transformation strategy and try to avoid starting uncoordinated point solutions for pain relief
  • Involve all stakeholders in your company and manage this program holistically

Learn more

  • Review these assets, including a Webinar, to find out more about how you can turn GDPR compliance into a growth opportunity.
  • Read this blog about how GDPR can present an opportunity to mitigate corporate risk.
  • Read the rest of our GRC Tuesday series blogs on GDPR.

Follow SAP Finance online: @SAPFinance (Twitter) | LinkedIn | Facebook | YouTube

This article originally appeared on SAP Analytics.


Evelyne Salie

About Evelyne Salie

Evelyne is a highly experienced IT-Solution Principal, Business Developer and Project Manager with over 10 years IT- industry experience within the Governance Risk and Compliance and Finance area of expertise. She currently works as a Senior Director in Business Development at SAP Finance and GRC solutions. In her business development role she is working on concepts and realization for new generation of Finance solutions, running in real time, integrating predictive, Big Data, and mobile, which will change how offices of the CFO work, how the business is run, and how information is consumed.