Phil Shomura

Senior Product Manager, ACL


The European Union (EU) General Data Protection Regulation (GDPR) effective date of May 25, 2018, is fast approaching. Are you ready to test all of your controls, procedures, and policies against the rigors of this game-changing data protection law?

GDPR compliance will create an operational burden

There’s no question that there’s a mountain of work to be done. Even though the goal was to simplify the obligations for organizations with a single, unified regulation across the entire EU, statistics have shown that there’s an expectation of greater investment and effort to comply with GDPR, not less.

It only takes one glance at the extensive articles in the GDPR to recognize that something more advanced than Excel and old-school manual testing is required to stay on top of obligations like deadlines, data subject requests, risk detection, data security, and escalations.

But at ACL, we believe in using technology to help you work smarter, not harder. This is how you can turn the tide from scrambling to meet compliance to empirically demonstrating your effort to comply, thereby establishing a defensible position. We recommend the following three steps to get started.

1. Remove the guesswork

Your path to GDPR compliance starts by understanding your obligations and requirements and the current state of your organization to meet them.

Not unlike other regulations, compliance is based on similar concepts and activities, even perhaps some of the same controls that you might encounter when planning for other regulations.

Some organizations have invested in NIST’s framework, ISO27001, ISO270018, SOCII, CSA, PCI DSS, and COBIT 5. If these frameworks have been implemented within your organization, these can be borrowed to jump-start your GDPR plans. The GDPR is silent on technological and security solutions and this neutrality means you may still need to develop policy and practices for the organization to work to. Why start again if you already have something?

In addition, the ACL platform has integrated GDPR content with ready-to-use regulatory compliance maps and industry frameworks, complete with controls and procedures to reduce your manual, administrative burden.

Using the ACL platform, you can:

  • Intuitively map controls and procedures to both legislative requirements and internal policies to ensure coverage.
  • Harmonize multiple requirements under the coverage of a single control or vice versa.
  • And where a requirement is not applicable, a rationale can be entered to document this for evidence that coverage was considered from the start.

Compliance maps break down regulations into parent and child requirements, to which you can easily map controls and procedures to demonstrate coverage and identify gaps.

2. Automate monitoring of your controls and procedures

Sourcing information is the starting point of any good defensible position. Automating the monitoring of material events from the source systems allows you to test that your privacy by default framework is working effectively.

Using ACL, you can inspect data flows and share that information with other members of your team for further investigation. With tools like surveys and questionnaires, you’ll uncover further insights to inform your investigative efforts into potential risks.

Where material events are uncovered, automated solutions can trigger remediation workflows to ensure the right people are notified, all within the context of preset priority statuses and escalation paths. For example:

  • Has a data subject request been received?
  • Has a request aged or an obligation gone ignored beyond an acceptable threshold?
  • Is a GDPR deadline approaching?

Many scenarios are perfect for this form of automation. Both from the controls monitoring perspective and the general workflow management of GDPR activities.

Remediation workflows can be triggered by exceptions, anomalous data, or surveys/questionnaires to ensure the right people are notified at the right time.

3. Strive for governance; don’t slave over your compliance activities

You’re reliant on a number of activities and systems, but remaining vigilant about your compliance posture is easier said than done. Believe it or not, it’s possible to keep a pulse on your compliance posture at all times, with visibility over material events in real time. Aggregating and pulling in feeds from different systems to visualize this brings the story together in a single lens.

Technology can help you achieve this holistic view and inform you of what activities are going on in the organization, including whether the status of those activities (controls or procedures) being monitored get you closer or further from compliance.

Being compliant and remaining compliant is about being able to bring together multiple disparate conversations, projects, initiatives, and activities.

ACL can help you stay on top of your governance while minimizing the work required to attest to effective controls and procedures that underpin your compliance efforts.

Generate visualizations on each data metric and compile these to create a rich, visual storyboard. Storyboards reveal a holistic picture where multiple visualizations tell a more fluid, contextual story around your GDPR compliance posture.

Storyboards visually interpret the data analytics around your key risk indicators. They present compelling and contextual stories about your risk and compliance posture for executives and boards.

GDPR readiness can be achieved without the chaos

GDPR compliance is no easy task. There’s considerable work to be done, processes and procedures to implement, maybe even some highly specialized tools to deploy.

But with these clearly identified and in place, finding a governance platform to help you coordinate all your compliance activities can bring order to the chaos.

ACL offers a governance platform that helps organizations address a diverse range of compliance objectives, including GDPR.

Our experience across different regulations allows you to leverage the latest automated monitoring technology to free you from administrative burdens so you can focus on strategic projects.

White paper: GDPR:
How to establish a strong defensible position

Find out the key actionable steps you should take as part of your GDPR planning. In this whitepaper, produced in cooperation with Information Management, we discuss how you can:

  • leverage technology solutions that will allow you to automate herculean tasks
  • establish a solid strategy, strong controls, and effective procedures
  • create a continuous-improvement loop to regularly update your company's compliance efforts and help develop industry gold standards
  • secure executive endorsements and engage cross-functional teams, including IT, legal, operations, and business lines.

Download whitepaper

Share This