Compliance activities for organizations are often driven from the legal or risk groups. The initial focus is on management’s position and actions required to be compliant; generally this starts with the creation of policies. This makes sense as policies are a reflection of management’s intent and provide guidance on how to put strategic thinking into action. The legal teams provide legal interpretation and direction with respect to risk. This is also incorporated into the policies.So, what happens next as your organization addresses challenges around ensuring effective implementation and subsequent operational oversight of policies required for General Data Protection Regulation (GDPR) compliance?
The challenges associated with GDPR as well as other compliance activities are centered on achieving “Audit Resilience.” We define this as the ability to address the needs of the Auditor – internal or external – in such a way that compliance is operationally enabled and can be validated easily and with minimal disruptions and cost. The goal is to reduce the stress, the chaos and the costs that often accompany these events to a manageable level.
What Does Audit Resilience Mean?
Audit Resilience means that the auditor can:
- Easily discern the clear line of site between Policies => Standards => Controls => Actors => Data.
- Review and explicitly align governance artifacts (policies, standards and processes) to compliance requirements.
- Access and validate the “controls” that ensure standards are applied effectively.
- Find evidence of execution of the governance practices within the data.
Critical Success Factors
GDPR compliance is a function of creating logical linkage and consistency across multiple functions and actors - down to the data level. Details will vary based on the organization and the assessment of risk.
Overall, the following are critical to successfully demonstrating compliance:
- Produce a catalog of all impacted data
- Know where data is being used, and by whom
- Show governance lineage from Policy => Process => Standard => Control => Data
- Report on effectiveness of “Controls”
- Produce specific data related to particular requirements such as: Security Events, Notification, Privacy Impact Assessments, and so forth.
- Show the relationship of governance tasks to both data and the business processes that use Personal Information.
Tip: DATUM’s Information Value Management® provides the critical mapping functions that allow you to answer the above questions.
Interested in reducing stress, chaos and costs while also achieving GDPR Audit Resilience? Contact us today to get more information about how we can help.