GDPR compliance: more than just a checklist
Neil Patrick
Director of SAP Centre of Excellence for GRC & Security covering EMEA
Linkedin: https://www.linkedin.com/in/neil-patrick/
Put yourself in a regulator’s shoes: how would you audit an organization to assess how well they comply with the GDPR? Having technical measures to encrypt data for example can be good, but doesn’t necessarily reflect the risk of physical, material or non-material damage to data subjects: why is that data encrypted? The GDPR requires demonstrating that use of personal data is specific to the purpose it was acquired for, that it can be ‘lawfully’ processed, and data controllers and processors actively record how they will process and protect personal data. What evidence would you need? Ideally you want a digital recording and audit trail of business processes covering the span of decision-making, data acquisition, use, and deletion; linked purpose & nature of processing; security and access management; level of risk; handling of issues and infringements; and corporate process ownership and accountability being exercised. I still see this aspect missing from customer’s GDPR compliance programs even though (a) software technology is available to do this, (b) this body of material is exactly what an auditor will examine to determine the size of fine or infringement, and (c) this is how you reduce the cost of data privacy compliance.