Many technology vendors are finding ways to align their offerings to the challenges that organisations face in becoming GDPR compliant. Some of the alignment makes sense, more is simply marketing.
So if you and your organisation are currently evaluating technology that can support your journey to GDPR compliance, here is a list of questions that you should be asking potential vendors to qualify their tools’ suitability.
Search, classification, taxonomy and control
- Can my search and classification technology span all the systems in my organisation?
- Can I get a unified view across all my corporate systems about what data I have?
- Can I see what amount of data will likely fall under the GDPR?
- Can I identify what data contains PII and sensitive PII?
- Can I implement one GDPR corporate taxonomy across all data sources?
- Can I implement and enforce data handling policies across all systems in real time?
- Can I implement data handling processes in a repeatable and auditable way?
Process automation, repeatability and ability to audit
- Can I demonstrate a repeatable and auditable process for handling data handling exceptions?
- Can I automate remediation activities as part of data handling exception management?
- Do I have the mechanisms in place to turn Subject Access Requests around in under a month?
- Can I automate the verification of Data Subject identity as part of Subject Access Requests?
- Can I implement a right to be forgotten request in an automated and auditable way?
- Can I update information held on Data Subjects in an automated and auditable way?
- Can I keep Data Subjects up to date with the progress of their Subject Access Requests in an automated way?
- Can I limit manual handling in the management of data handling exceptions and Subject Access Requests?
- Can I quickly and easily add new data sources to my corporate data management systems?
- Can I adapt compliance processes quickly and easily while still maintaining the right controls?
Visibility and reporting
- Can I get visibility across all data handling exceptions and Subject Access Requests including:
- Status
- Volume
- Adherence to SLA
- Overdue and soon to be overdue cases
- Risk profile
- Repeat requests versus new requests
- Request volume trends
- Process stage breakdowns
- Can I see where data in my corpus is ‘near missing’ my GDPR and PII taxonomies?
- Can I adapt and refine taxonomies based on reporting outputs?
Implementation and adoption
- Can the technology fit into existing systems and processes in my organisation?
- Can the technology complement existing processes rather than having to rip and replace?
- Can the technology be delivered on-premise, public cloud, private cloud or hybrid as is appropriate?
- Can the solution be implemented and delivered with a low code/no code approach?
- Can the solution be maintained and adapted over time without the need for long development cycles and waterfall project planning?
- Can the solution be held in an EU datacentre?
Understandingly, this checklist doesn’t cover every piece of software you’re going to need to run a compliant organisation. We haven’t touched on edge security, antivirus and so on. We also haven’t touched on planning you’ll need to make around softer skills required to be successful under the new regime; staff training, trained Data Protection Officer, not to mention resources like a risk management strategy.
But all said and done, trying to comply to the GDPR and handle Subject Access Requests, the right to be forgotten and all the other key processes manually will only suit the smallest of organisations. Technology is where efficiency and scalability can be found. So start asking those difficult questions of your suppliers now.
By Simon Wright, CEO at Britecloud
PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.
For more information on upcoming events, visit the website.
comments powered by Disqus