GRC Tuesdays: Is GDPR the New SOX?
For those who, like me, have long been involved in governance, risk and compliance (GRC)—like since the early 2000s—doesn’t this whole GDPR (General Data Protection Regulation) “drama” feel like déjà vu? We’re seeing a new strict regulation imposed on all types and sizes of companies, with tough deadlines and hefty fine risks. And as a result, we’re also seeing among a large majority of companies high anxiety and deep concerns that the requirements can’t be met in time. Familiar?
Quite symmetrically to Sarbanes–Oxley Act of 2002 (SOX) in America, the GDPR is imposed unilaterally for application in the EU only, but due to the size of the market, it impacts companies all over the world, as so many have operations in the EU. And being less familiar with data privacy practices prevailing in Europe, non-EU companies find it maybe even more concerning, as shown by the current multiplication of conferences on the topic in the US alone.
In parallel, CFOs are concerned more than ever with the costs that go with the processes and resources in place to respond to compliance requirements. Containing the cost of compliance ever since the “SOX Wave” has proven very challenging, and reactive approaches to compliance and scattered responses to the diverse impositions of the legislation have particularly contributed to pushing these costs. No wonder they’re dreading a similar scenario with the advent of GDPR.
Improved Technologies Are Making a Difference
Luckily, technologies have moved a long way since the early days of SOX. Many of us certainly remember (from those glorious, early days) the “joy” of documenting and manipulating masses of spreadsheets, word documents, and other files, and the headaches of consolidating all this information to produce the reports and go through process walk-through, certifications, and sign-offs.
GDPR is also very much about documenting, and making sure that the needed policies, controls, and procedures are in place, and being able to demonstrate this to the authorities. So, on the governance side of things, companies can capitalize on the experience from all these years (learned the hard way), which should allow for a more efficient and effective path to compliance—hopefully with less trauma and cost.
This naturally applies to the supporting technologies that are available to manage such compliance requirements, which involve in particular:
- A robust control framework
- Complete policy lifecycle management
- Control evaluation and monitoring capabilities
- Comprehensive reporting features
A number of vendors have emerged since the early 2000s to respond to these requirements at a diverse level of depth, which helped companies reduce the burden of financial compliance to a degree. At SAP, we’ve consistently developed best-of-breed capabilities through our SAP Process Control solution implemented by hundreds of our customers to automate their compliance management. They also benefit from best practices coming from the breadth of experience from a large community of users, and the broad SAP ecosystem of partners.
Choosing the Right Solution to Help with SOX Compliance
So unlike the situation found in the early days of SOX, companies have good options for technologies they can use to govern their GDPR compliance. However, before choosing a solution, they should consider the degree of automation provided, the range of capabilities, and the flexibility of tools available. For example, to support the assessments and surveys the GDPR requires on data privacy risks and impacts, and for the evaluation of processes and controls.
They may also want to ensure that the chosen solutions can fit into a three-lines-of-defense set, notably to take advantage of integrated audit management capabilities that can help deliver robust assurance on the effectiveness of their GDPR program.
On an ongoing basis—and since GDPR is here to stay—the automation and integration brought by the right GRC technology can also help monitor GDPR compliance more effectively and continuously, and make it a sustainable program hile keeping costs under control.
Govern and Operationalize GDPR Compliance
Other technologies beyond GRC are also critical to “operationalize” GDPR compliance, which involves managing the complete data lifecycle on a day-to-day basis:
- Privacy impact assessments
- Secure storage of active data
- Data access governance
- Data breach notification and resolution
- Archiving and deleting
All these capabilities are available from major technology providers and already widely used, but there again, the right solution choices are important to ensure the requirements of the regulation can be met for all aspects of the management of personal data. And it is also critical that the chosen data management tools can operate harmoniously with the GRC solution that governs the overall GDPR program. Concretely, this signifies that controls can be plugged-in at each step of the data management cycle to verify these processes are operating compliantly.
In Summary ….
Despite the anxiety and pressure created by the arrival of the GDPR, companies have good options in terms of GRC and data management technology (unlike in the early days of SOX). They can also leverage the capital of experience accumulated throughout the years and best practices that consulting firms provide, to get them on the right path to GDPR compliance.
However, in their technology choices, it’s important to verify that the chosen solutions can help them both govern and operationalize GDPR compliance, with both:
- Strong policy management and control automation capabilities on the governance side, and
- Comprehensive data management features to support the complete data lifecycle in accordance to the requirements of the regulation, on the operational side.
And last but not least, they should ensure that those GRC and data management solutions can interact seamlessly and integrate with their existing business applications where the personal data that so needs to be protected is the most widely used.
This will help make the GDPR journey much less painful, and allow them to implement a sustainable GDPR program, where costs can be kept well under control.
- “Ayurvedic” GDPR by Neil Patrick
- Part One—Big Data Privacy Risks and the Role of the GDPR by Evelyne Salie
- Part Two—Big Data Privacy Risks and the Role of the GDPR by Evelyne Salie
- GDPR Is About More than DATA Management, It’s About Governance by Neil Patrick