In my last blog, ‘Don’t take this personally’, I covered the importance of people understanding what GDPR is trying to achieve. But how should a company maintain compliance with the regulation over time?
Many organisations start their compliance journey by getting external companies in to help them understand the regulation and to get them where they need to be. This approach generates “content” in the form of what data an organisation processes, who it is shared with, and what security measures are in place to protect this important information. This information is then stored away on a collaboration site of some sort.
The above approach will ensure you are compliant initially but has weaknesses that will show over time as business processes, and the data they use, changes. For the GDPR these weaknesses will appear when handling Data Subject Requests or responding to suspected data breaches.
To handle these requests effectively you need the information to complete the request. For example:
- Where is all this personal data kept?
- What system is it in?
- What country does it reside in?
- Would it be compromised if database X was hacked?
Can you answer these questions using all your documented processing activities?
I am sure the answer is yes, but perhaps not without a significant level of effort. A well-known hotel group has already realised this and asked the governing body for longer to respond to requests….
Complying with the GDPR
It is fast becoming clear that complying with the GDPR is a journey. Phase one is complete for all organisations – the focus being on gathering the data needed to comply with the regulation.
The second phase is about improving maturity – taking the information gathered about how data is processed then making it part of the data that describes how the company operates. In most cases it will end up in the CMDB.
ServiceNow can help on this journey. It has a mature CMDB offering to ensure you know where your data is kept. It has a GRC plugin that allows you to model the Risk of all the data you process. It is also a great task management system ensuring all those requests are dealt with in the required timescales.
However, it can’t be truly effective without a bespoke GDPR offering. So TESM has created one. You can access it and find out more from the ServiceNow Store.
The application allows you to document all the compliance data you gathered in the first phase and empowers you to handle the operational activities, with access to the required information about where your data is.
Now you can respond to those access requests in minutes not days and the true impact of breaches can be understood much faster. That is what GDPR was designed to achieve.