Blog
RGPD compliance

How to identify if a solution accelerates GDPR compliance?

Par
Alessandro Fiorentino
Partagez cet article
weekly meeting with DPOs to discuss GDPR compliance tools and initiatives

Each week is an opportunity for us to meet new DPOs.

The objective is always the same: to discuss with them the initiatives put in place and the tools used to comply with the RGPD of their organization.

Even if “comparison is not right”, it is sometimes interesting to look at the priorities of your peers when they seek to maximize their effectiveness on a subject as transversal as that of the GDPR.

In this article you will discover the 5 qualities that are examined first and foremost when evaluating a GDPR solution.

Why is the ability to accelerate GDPR compliance important?

First observation: the needs of DPOs have evolved.

In 2016, their needs were essentially limited to the centralization of supporting documents and the formalization of the register.

For the 2021 DPO, the objective is clearly that of acceleration. Organizations no longer have a choice: all the leniency periods granted by the supervisory authorities have passed.

However, many organizations are still in the process of formalizing the register or have not yet completed their first DPIA (Data Protection Impact Assessment, PIA in English).

The challenge is therefore to go faster. That is to say, do in a few months what has not been done so far.

DPOs are also personally interested in this acceleration.

While there are more and more innovations within organizations, they want to be able to react quickly and respond to the requests addressed to them.

The objective is to be identified as a true partner and to reduce the risk of being “forgotten”.

5 points of attention to assess a GDPR solution?

The user experience: a source of acceleration for your GDPR compliance.

Let's not lie to us, as a DPO you will spend a certain amount of time on your RGPD solution.

Between the imposed formalism, the evaluation of security measures or even the responses to requests, the RGPD solution directly competes with your email client for the title of software most used.

In addition, some DPOs do not hesitate to use the acquired RGPD solution to establish their legitimacy with businesses and promote their collaboration. The user experience is therefore essential to maintain your motivation and that of your interlocutors.

It can be evaluated through various elements: onboarding, progress, information search, posting time.

Onboarding

The aim of a GDPR solution is to simplify the compliance of an organization, not to create an additional project for DPO, which already has enough to deal with.

Evaluate publishers on their ability to help users take control of the solution they offer. Note whether there is a customization of this support according to the different types of users.

The objective here is to ensure that the time required to get started does not compromise the promised acceleration benefits.

The state of progress

GDPR compliance is a project.

As with any other project, it is necessary for the project manager to be able to clearly identify the overall progress of the project and the levels of progress of the various projects that compose it.

Does the dashboard of the proposed solution allow you to obtain these different levels of progress?

The objective here is to limit the time spent identifying the actions to be carried out to allow the good continuity of the project.

The search for information

As a DPO, you will be juggling a large amount of information.

You produce them, your legal department produces them, your CIO too... All your colleagues produce them.

They are not the only ones. There are also your partners, the persons concerned and the supervisory authorities.

Does your GDPR solution allow you to centralize all this information? How are they arranged? How long does it take to identify the information you are looking for most often? Is it faster than managing a shared folder?

Display and recording time

Formalizing and completing your register in time should provide a feeling of satisfaction. Ensure that this is always the case by asking the publisher how long it takes for its product to display a register of more than 100 treatments or the time required to register a new treatment sheet, or to update it.

All these lost seconds call into question the acceleration of your compliance. They are also irritants that negatively impact the user experience.

The progress and identification of future actions

The day after the invalidation of Privacy Shield, a DPO told me: “In any case, I don't believe in GDPR compliance, there will always be things to do. On the other hand, I think we should try to be in a position of compliance.”

The compliance posture is the regular analysis of the efforts made on data protection over a specific period of time. What does this have to do with acceleration? Two things:

  • Demonstrating the progress made, the projects that remain to be addressed and being able to identify the resources needed to do so will undoubtedly be the best way to be in a position to defend your budget.
  • The path to compliance is long, complicated, and tortuous. Having a precise vision of the progress made is one of the best ways to keep yourself and your interlocutors motivated on the subject.

Support for the formalization of the register

Three years after the entry into force of the GDPR, few DPOs do not know how to formalize a register of processing activities.

How can we explain that so few organizations have an up-to-date register of the treatments they carry out?

It is one thing to know what content is expected in the register; it is quite another to know where to find this information within the organization. To do this, the DPO must rely on the professions to know what they do with the data, for what purpose, on the basis of what basis, with what tools, etc. etc. etc. This is one of the main difficulties of the GDPR.

  • A person, the DPO, knows how to fill out the register of processing activities but does not have the information to do so
  • A multitude of people, not necessarily identified, have this information, or have the possibility of obtaining it but do not know how to complete the register.

Why not organize workshops in which DPO and professions can jointly fill in the register?

You know that as well as I do. In practice, it is difficult. The jobs are busy and the DPO, although equipped with many qualities and a strong motivation, does not have the gift of ubiquity.

Allowing your colleagues to identify the information you need is an effective way to avoid the multiplication of meetings, reduce the risk of errors and the number of requests sent to you.

Thus, when evaluating a GDPR solution by a DPO, one of the questions that comes up most often is the following: will the support offered by this solution allow my employees to fill in and update the register without me?

Duplication of security measures

The “Control C + Control V” is identified as a time saver. Above all, it is a source of errors and a sign that your expertise in the protection of personal data could be better used.

The efforts made by your CISO to standardize security measures should speed up the formalization of your treatment registry.

Evaluate the solutions considered in terms of their ability to duplicate all or part of the security measures from one processing sheet to another, from one department to another or even from one legal entity to another.

Undoubtedly, at that point, the time savings will be real.

The realization of the PIA

Data Protection Impact Assessments are, as their name suggests, analyses.

These analyses are based on the security measures implemented to ensure the security of the processing of personal data.

Initiating an analysis without having the necessary information is one of the best ways to ask your interlocutors to see with them the impossibility of carrying out an AIPD.

This is probably why DPOs are increasingly interested in knowing what the various GDPR solutions offer in terms of PIA.

  • Does the solution allow automatic identification of treatments submitted to PIA?
  • Is there a pre-formalization of the information necessary for the analysis to allow us to devote ourselves exclusively to the analysis and identification of additional security measures?
  • What are the consequences of a modification made to a treatment sheet that has been the subject of a PIA?

Information System Integration

As a DPO, you will need professions to fill out the register of processing activities. You will also count on them to update this register. After all, it needs to reflect reality.

But will your interlocutors be able (want?) ensure that this register is updated on time? Follow-ups and reports are numerous in the lives of your employees and the thread of changes can easily be lost.

To overcome this difficulty, integrating your RGPD solution with the rest of your Information System can alleviate this workload. It can also allow automations for the management of rights management requests, the review of contracts, the management of privacy policies.

These possibilities and the settings that are necessarily associated with them can save you a considerable amount of time. However, it is necessary to assess the relevance of this type of possibility in light of the size of your organization.

Before leaving

You have started to formalize your register via the CNIL file? You have

The latest news

News

Adequacy obtains the EcoVadis gold medal: a recognition of our CSR commitment

Alessandro Fiorentino
News

Adequacy ranked best GDPR compliance software by Déciders Magazine

Alessandro Fiorentino
Extraterritorial Laws and Related Laws

Data Privacy Framework: 3 factors of an inevitable shock

Alessandro Fiorentino

They have trusted us for years

Used by over 10,000 legal entities

Discover Adequacy

One of our experts introduces Adequacy to you in a real situation.
Let's discover together how Adequacy adapts to your reality on the ground.
Request a quote