GRC Tuesdays: GDPR before and after 25 May

In just two months, the “big deadline” for European Union General Data Protection Regulation (GDPR) compliance is going to fall implacably on businesses in Europe and around the world, which means that many people are now into the home stretch as they work to get their employer ready—as much as they possibly can.

This may seem a provocative way to put it, since usually, one is either ready/compliant or one is not ready/not compliant. However, our conversations with customers, partners, analysts, and experts have revealed that a significant number of impacted organisations will be in a “partial stage of readiness” when the deadline arrives.

Some of these businesses have told us they hope to be able to show authorities that they’ve implemented adequate responses to the most significant requirements of the regulation. Others are hoping to show that they are at least making their best effort. They have no certainty that it will be sufficient for the authorities, however.

Will the Authorities Be Lenient? What about the Public?

The question of whether the authorities will be lenient appears to be highly speculative. And the sentiment seems to vary widely from one country to another.

Most recently, the breaking news around Facebook and Cambridge Analytica has put the issue of data protection even more under the spotlight. One can imagine that this will not encourage leniency from the authorities, especially towards large organizations or holders of large amount of personal data. At least it shows that the topic won’t recede after the 25^th of May or be limited to European concern.

One more thing is certain—showing care for personal data and taking positive action to protect it will increasingly become a central element in many organizations’ communication strategy. It has deep implications in terms of actual execution  whilst scrutiny increases (and not just from authorities). The super-fast amplification of any failure can unforgivingly hit the strongest brands.

What Is Actually Being Done Today within Impacted Organizations?

So what is being done today to reach the stage of confident execution of the GDPR, where personal data is effectively protected and continuously managed in a compliant fashion? And is it sufficient?

In most cases, it probably isn’t, no matter how close a company is to total compliance. Because for most companies, the major focus is to meet the 25^th May deadline, rather than on re-working (in-depth) the processes by which data is managed, protected, secured, and governed.

From what we see and hear, important organisational steps have generally been taken, (like the nomination of a DPO, data protection “correspondents” across organisational units) but the solutions implemented to support the effort are often short-term fixes.

A Portrait of Three Struggles

When it comes to becoming GDPR compliant, we see:

• Companies that have relied (and will continue to rely for some time) on their favourite consultant(s).
  • These are consultants who have developed a good understanding of the articles of the GDPR and tools to cover key requirements, such as the recording of processing activities (ROPA), data protection impact assessments (DPIAs), data subjects consent management, to name a few prominent ones.
• Companies that are implementing a set of tools to address different requirements, but not in an integrated fashion.
• Companies that are utilizing specialised solutions that have recently emerged claiming full coverage of the various areas of GDPR.
  • But given these solutions’ immaturity, it’s difficult to determine how effective, easy- to-use, scalable, and maintainable they will be.

The Need for Stronger, Broader, and Integrated Solutions  

Looking at these different situations, I wonder how many of these organizations have actually found sustainable solutions that will allow them to BOTH:

• Comply with reasonable efforts to the GDPR going forward, and other data protection regulatory requirements along the way
• Be fully in control and equipped to effectively manage and protect the ever-growing masses of personal data they handle.

For companies today, compliance concerns aren’t limited to just a worry about the compliance fines that are hanging over a company’s head. In this digital age, the smallest breach can be amplified extremely fast and expose a company’s reputation.

It’s certainly worth continuing the conversation after the 25^th of May by moving beyond short-term fixes and stop-gap measures.

Establishing a Strong Data Privacy and Protection Governance with Best-of-Breed Technology

As we described in an earlier GDPR blog, the different activities involved to enable compliance to the GDPR and manage data privacy and protection should be brought together in a more coherent and integrated set around the “4 pillars” ( privacy governance, data management, data security, and consent management), with solutions that deliver the capabilities needed to support each of them.

Particularly important to orchestrating this set is establishing a strong data privacy and protection governance (first pillar). This pillar is the driver for the whole ensemble, and it calls for the use of best-of-breed GRC technology enabled by a high level of automation and integration with other business systems.

This involves:

• Having in place and maintaining a robust, standardized control framework
• Implementing and managing a comprehensive set of policies (with communication cycles and personnel enablement where needed)
• Establishing processes for regular evaluation and monitoring of critical controls, with clearly defined accountability and issue management procedures
• Reporting on a regular and ad-hoc basis on control effectiveness and issues

This can also tie into the three lines of defense program of the organisation, which allows it to take advantage of integrated audit management capabilities and help deliver increased assurance on the effectiveness of the GDPR program.

Bottom Line

In the big rush to meet the 25 May GDPR deadline, many companies have been challenged to implement comprehensive, integrated solutions to meet the key requirements around data privacy governance, data security, data management and consent management, while also equipping  themselves with a durable, cost-effective technical base to manage data protection across their business. The longer term need to develop a strong data privacy and protection program, (to be fitter in an ever more digital business environment and to protect their brand and reputation) is another reason companies should  leverage enterprise-wide, integrated solutions to support it.

Beyond the challenges we earlier described, this can actually provide more opportunities to grow the business, as business partners have confidence that their data is protected and soundly managed.

It’s not too late for companies to review their options.

Learn More

• SAP’s GDPR webpage for resources and information about which SAP solutions and services could help you govern your GDPR program and manage and protect your data for sustainable GDPR compliance
• Read our other GDPR-specific blogs and check out the rest of our SAP Analytics blogs about other governance, risk, compliance, and security topics.

NOTE: The information contained in this blog represents the author’s personal opinion and is for general guidance only and provided on the understanding that SAP is not herein engaged in rendering legal advice. As such, it should not be used as a substitute for legal consultation. SAP SE accepts no liability for any actions taken as response hereto.

It is the customer’s responsibility to adopt measures that the customer deems appropriate to achieve GDPR compliance.