Spreadsheets: A risky approach to managing GDPR compliance

John Verver, CPA CA, CISA, CMC

Advisor to ACL

    

If your organization is subject to the European Union (EU) General Data Protection Regulation (GDPR) and you are in any risk and compliance role, you are (hopefully) already well aware that May 25, 2018 is approaching fast. This is the date on which the regulation comes into effect, by which time your organization needs to be in compliance with its extensive and onerous requirements.

Preparing for and maintaining compliance involves considerable effort, though the investment would seem easy to justify when failure to comply brings the risk of penalties of the greater of 4% of global revenues and 20 million euros. That’s certainly enough to get the serious attention of more than just the chief risk officer or chief compliance officer. The CEO and various board committees are likely to be interested in knowing that everything is being done to ensure they never see the organization’s name make headlines for a GDPR compliance failure.

What are you using to manage the risks of a GDPR compliance failure?

So what system are you using to manage your GDPR compliance processes? You would certainly not be alone if your answer was that Excel, along with perhaps a few other software products in the Microsoft Office suite, make up the platform for your compliance systems. All indications seem to be that more than 50% of organizations currently rely on spreadsheets as their primary GRC software tool. Since so many organizations use Excel for much of their risk and compliance processes, it is perhaps to be expected that GDPR is seen as just another compliance process that can be managed similarly.

A short-term solution can become a long-term problem

It is not surprising that spreadsheets are still in such common use. Many GRC processes were first formalized almost two decades ago, when there were few software options. The first specialized GRC software products had started to become available, but they were often seen as inflexible, time-consuming to implement, and costly. On the other hand, everyone had access to spreadsheets, people were generally familiar with using them, and they were perceived as zero cost. The quick solution was to track risk and compliance issues using an apparently simple tool, though one which rapidly became more complex. Over time, organizations found themselves with a sprawling universe of spreadsheets and worksheets that were expected to address an ever-increasing number of requirements for managing multiple aspects of risk and compliance.

The practical drawbacks to spreadsheets are generally well known. They are prone to error and many forms of unreliability. They can be confusing and difficult to navigate. They take a lot of administrative effort to coordinate and manage effectively. There is no simple way in which they can support complex workflow, even when combined with the use of SharePoint and Outlook/Exchange. They are clumsy mechanisms for producing integrated reports and dashboards.

GDPR compliance processes themselves are not substantially different in nature from many other compliance processes (e.g., SOX, FCPA). However, the sheer number of processes involving some aspect of data privacy, performed both internally and by service providers, as well as the multiple instances of relevant data itself, means that there is a lot to manage.

GDPR compliance should be a lot more than a documentation exercise

In order to be effective, GDPR compliance systems need to do a lot more than simply document the affected processes and data, as well as the related risks and controls. If this was all that was involved, then perhaps Excel and Word would be an adequate solution. However, there should be ongoing monitoring of vast volumes of data, activities, and transactions throughout the affected systems. Incidents and exceptions need to be identified, appropriately notified, and then resolved. Surveys and questionnaires around compliance activities and control effectiveness need distribution, collation, and analysis. There should be dashboards that provide up-to-date insights into the overall status of compliance. In many cases, all of this should be fully integrated into an enterprise-wide risk and compliance management system. Even for those organizations with the smartest and most adept spreadsheet users, generic software is simply not up to the job.

There is a better way to manage GDPR risks and compliance

There is a lot at stake with GDPR compliance, as there is with many critical regulatory compliance areas. Choosing to use and maintain in-house developed systems built upon generic tools would not appear to be a wise decision. Such an approach is itself inherently risky, relying on the hope that it will be effective and avoid a highly damaging compliance failure. On the other hand, taking an integrated technology-driven and data-driven approach, using software designed specifically for the purpose, can reduce the risk of compliance failures, lower the cost of compliance, and provide evidence of a strong defensible position in the event that regulators come knocking at your door.

White paper: GDPR:
How to establish a strong defensible position

Find out the key actionable steps you should take as part of your GDPR planning. In this whitepaper, produced in cooperation with Information Management, we discuss how you can:

  • leverage technology solutions that will allow you to automate herculean tasks
  • establish a solid strategy, strong controls, and effective procedures
  • create a continuous-improvement loop to regularly update your company's compliance efforts and help develop industry gold standards
  • secure executive endorsements and engage cross-functional teams, including IT, legal, operations, and business lines.

Download whitepaper

Share This