GDPR Before And After May 25

Jerome Pugnet

In just two months, the “big deadline” for European Union General Data Protection Regulation (GDPR) compliance is going to fall unyieldingly on businesses in Europe and around the world. That means that many people are now in the home stretch to get their employer ready – as much as they possibly can.

This may seem a provocative way to put it, since usually one is either ready/compliant or one is unready/noncompliant. However, conversations with customers, partners, analysts, and experts reveal that a significant number of impacted organizations will be in a “partial stage of readiness” when the deadline arrives.

Some of these businesses say they hope to be able to show authorities that they’ve implemented adequate responses to the most significant requirements of the regulation. Others are hoping to show that they are at least making their best effort. However, they have no certainty that it will be sufficient for the authorities.

Will the authorities be lenient? What about the public?

The question of whether the authorities will be lenient appears to be highly speculative. And the sentiment seems to vary widely from one country to another.

Most recently, the breaking news around Facebook and Cambridge Analytica has put the issue of data protection even more under the spotlight. One can imagine that this will not encourage leniency from the authorities, especially towards large organizations or holders of large amounts of personal data. At minimum, it shows that the topic won’t recede after May 25 or be limited to European concerns.

One more thing is certain: showing care for personal data and taking positive action to protect it will increasingly become a central element in many organizations’ communication strategy. It has deep implications in terms of actual execution while scrutiny increases (and not just from authorities). The super-fast amplification of any failure can unforgivingly hit the strongest brands.

What is actually being done today within impacted organizations?

So what is being done today to reach the stage of confident GDPR execution, where personal data is effectively protected and continuously managed in a compliant fashion? And is it sufficient?

In most cases, it probably isn’t, no matter how close a company is to total compliance. Because for most companies the major focus is on meeting the deadline rather than on reworking (in-depth) the processes by which data is managed, protected, secured, and governed.

From what we see and hear, important organizational steps have generally been taken (like the nomination of data protection officers or data protection “correspondents” across organizational units). But the solutions implemented to support the effort are often short-term fixes.

A portrait of three struggles

When it comes to becoming GDPR-compliant, we see:

  • Companies that have relied (and will continue to rely for some time) on their favorite consultants. These consultants have developed a good understanding of the articles of the GDPR and tools to cover key requirements, such as the recording of processing activities (ROPA), data protection impact assessments (DPIAs), data subject consent management, etc.
  • Companies that are implementing a set of tools to address different requirements, but not in an integrated fashion.
  • Companies that are utilizing recently created, specialized solutions that claim full coverage of the various areas of GDPR. But given these solutions’ immaturity, it’s difficult to determine how effective, easy-to-use, scalable, and maintainable they will be.

The need for stronger, broader, and integrated solutions

Looking at these different situations, I wonder how many of these organizations have actually found sustainable solutions that will allow them to both:

  • Comply with reasonable efforts to meet the GDPR going forward and other data protection regulatory requirements along the way
  • Be fully in control and equipped to effectively manage and protect the ever-growing masses of personal data they handle

For companies today, compliance concerns aren’t limited to a worry about the fines that are hanging over their heads. In this digital age, the smallest breach can be amplified extremely fast and expose a company’s reputation.

It’s certainly worth continuing the conversation after May 25 by moving beyond short-term fixes and stopgap measures.

Establishing strong governance with best-of-breed technology

As we described in an earlier GDPR blog, the different activities involved to enable compliance with the GDPR and manage data privacy and protection should be brought together in a more coherent and integrated set around the “four pillars” (privacy governance, data management, data security, and consent management), with solutions that deliver the capabilities needed to support each of them.

Particularly important to orchestrating this set is establishing a strong data privacy and protection governance (first pillar). This pillar is the driver for the whole ensemble, and it calls for the use of best-of-breed GRC technology enabled by a high level of automation and integration with other business systems.

This involves:

  • Having in place and maintaining a robust, standardized control framework
  • Implementing and managing a comprehensive set of policies (with communication cycles and personnel enablement where needed)
  • Establishing processes for regular evaluation and monitoring of critical controls, with clearly defined accountability and issue management procedures
  • Reporting on a regular and ad hoc basis on control effectiveness and issues

This can also tie into the organization’s three lines of defense program, which allows it to take advantage of integrated audit management capabilities and help deliver increased assurance on the effectiveness of the GDPR program.

Bottom line

In the big rush to meet the May 25 GDPR deadline, many companies have been challenged to implement comprehensive, integrated solutions to meet the key requirements around data privacy governance, data security, data management, and consent management, while also equipping themselves with a durable, cost-effective technical base to manage data protection across their business. The longer-term need to develop a strong data privacy and protection program (to be fitter in an ever more digital business environment and to protect their brand and reputation) is another reason companies should leverage enterprise-wide, integrated solutions to support it.

Beyond the challenges we described, this can actually provide more opportunities to grow the business, as business partners have confidence that their data is protected and soundly managed.

It’s not too late for companies to review their options.

Learn more

This article originally appeared at SAP Analytics and is republished by permission.

Jerome Pugnet

About Jerome Pugnet

Jérôme Pugnet is a senior director of GRC Product Marketing at SAP SE, based in London, and has over 12 years of experience in risk and compliance management, business process control, IT governance, fraud and audit management domains, in particular in the financial services industry. He has over 16 years of previous experience on financial software and ERP, in implementation engagements and pre-sales advisory roles.