How GRC solutions help companies meet GDPR requirements
In May of 2018, companies raced to the finish line to accomplish GDPR compliance. Given that it was the first year of GDPR, many industry experts expected to not see any companies fined. That is all going to change in the year ahead. In January 2019, Google was hit with the first major GDPR fine of $57 million, putting an end to the unspoken grace period. Companies should recognize this as a warning: get compliant or risk massive fines. This is especially important as only 59 percent of organizations report meeting all or most GDPR requirements, 29 percent expect to do so within a year, and nine percent will take more than a year.
With the stress of GDPR and potential increase in consumer privacy legislation looming on the horizon, CISOs need help. Rather than continuing to spin their wheels, CISOs should consider governance, risk and compliance (GRC) solutions that simplify GDPR compliance by streamlining operations to avoid fines and penalties altogether. Below I put together three ways that a GRC solution can help.
Centralization of key data and activities
For many organizations, spreadsheets, email, and other manual approaches to tracking data and compliance activities are the norm. However, taking a manual approach to GDPR compliance only makes the task that much more difficult for CISOs. Rather than creating more problems, CISOs should seek out GRC solutions as they create a central repository of key compliance activities and information. In doing so, risk managers will be able to see all activities that fall under the GDPR compliance and monitor the processes dedicated to meeting regulatory standards.
Having a centralized location for all key data and activity provides clear visibility for internal stakeholders and executives. This keeps your information from becoming siloed, allowing data to be easily accessed. Additionally, a transparent approach will help cut down on a lack of clarity and verifiability—significant hardships when centralization is lacking.
Ability to demonstrate compliance
Beyond centralizing key data and activity, GRC solutions make it easier for companies to demonstrate GDPR compliance to internal to external parties. This is because when all GDPR compliance activities are visible in one location, digging up key information for reporting and sharing out becomes straightforward, efficient and clear.
There are several examples where the ability to demonstrate compliance is especially important. For example, risk managers can save time and remove stress by being able to quickly pull relevant information for an executive who is interested in the progress of GDPR compliance or who needs updates on other information. In other cases, a business may need to prove GDPR compliance in order to qualify for certain contracts with outside parties such as potential clients or governmental organizations. GRC solutions give CISOs and risk managers the tools they need to easily prove compliance.
Quick responses to breaches
Given the strong guidelines around breach responses for GDPR compliance, a robust incident-response plan is necessary. CISOs will want to have all protocols documented well ahead of time, before a breach event occurs. These guidelines can vary from quite general to highly specific to the market and type of data involved, . However, at a bare minimum, these plans need to identify key personnel, responsibilities, communication protocols, and timelines. Given the GDPR requirement to report breaches publicly within 72 hours, the timing for an incident-response plan is extremely important.
Additionally, GRC solutions give companies the opportunity to transform their incident response plans from static to interactive. This is especially important as a company begins to test its plan in the event of a real breach. Static incident response plans create siloed departments and loss of communication, leaving much of the responsibility on one person who must communicate across the organization. By putting an interactive process in place, companies can automatically capture:
- The day and time the incident occurred
- The type of incident
- Each employee involved in the incident
- Track all communications concerning the incident
- Root cause analysis of the incident
- Benefits of an interactive incident response plan
GRC solutions provide an interactive incident-response plan and give companies the ability to customize and automate workflows. This way, they can take complex risk-management processes from difficult to user-friendly, allowing employees to feel confident in their response to breaches.
Recent reports show that GDPR regulators are currently over-extended and unable to keep up with the volume of reported breaches. Out of 59,000 GDPR data breach notifications, only 91 were fined. However, companies shouldn’t relax now. Rather, companies should expect the fine Google received to be minor compared to what’s to come in 2019. Don’t be surprised to see a company (or companies) held responsible as examples. Given that a full 38 percent of organizations worldwide are yet to meet all or most GDPR requirements, it’s only a matter of when.
Matt Kunkel is the co-founder and CEO of LogicGate. Prior to LogicGate, he spent over a decade in the management consulting space building technology solutions to operationalize regulatory, risk, and compliance programs for Fortune 100 companies. It was during this time he learned the skills to realize his true calling: building world-class companies that meaningfully affect the lives of others through user-friendly technology. Given his extensive background in the GRC space, Matt regularly speaks and consults on risk and compliance.