How to manage and monitor your GDPR compliance

How to manage and monitor your GDPR compliance
By EBRC 12/10/2021
Banking, Insurance & Fintech
Health & Life Sciences
Public Sector & European Institutions
Defense & Space
Technology & Software Providers
Energy, Logistics & Industry

The General Data Protection Regulation (GDPR) came into force in May 2018. Three years later, where do we stand? Although many companies have appointed a Data Protection Officer (DPO) and made great efforts to comply, the subject has been overshadowed by the health crisis in recent months. There have been clear setbacks, as evidenced by the numerous administrative sanctions imposed in 2020 by the European data protection authorities: 326 for a cumulative amount of 170 million euros. How then can we enter into a process of continuous improvement involving all stakeholders?

Christelle Amodio, Business Manager at EBRC, Aline Moyret, Governance Risk & Compliance Practice Lead at EBRC, and Stéphane Omnes, Data Protection Officer at Post Luxembourg, discussed the issue during a webinar organised by EBRC and dedicated to the management of the GDPR. For them, being compliant with the GDPR at a given moment is no longer enough. Companies evolve - new services or products appear, others disappear - and with them, the processing of their data. It is therefore more than urgent to go beyond operating on a per-project basis and begin implementing a real personal data protection management system.

Manage your GDPR compliance thanks to a control framework based on 9 topics and 24 control points

The approach proposed by EBRC is part of a risk management policy based on a control plan. The control plan makes it possible to take stock of the company's compliance, to identify areas for improvement, to give feedback to the various stakeholders, whether business line managers or management, to re-assess the risks and to update policies and procedures in order to continuously improve the data protection management system.    

The control plan is based on 9 topics: governance and its methods, the register of processing operations, compliance, Privacy By Design, data subject rights, data breaches, subcontractor management, business customer management and security. These 9 topics are broken down into 24 control points for which a correspondence has been established with the GDPR-CARPA (Certified Assurance Report-Based Processing Activities) certification scheme, drawn up by the National Data Protection Commission (Commission Nationale de Protection des Données - CNPD), and ISO27701, the international standard for data protection.

Protecting your sensitive information - three levels of responsibility: from business line managers to internal auditors

Based on this compliance framework, there are three levels of control. The first level is the responsibility of business line managers. Their main task in this respect is to carry out, at regular intervals - generally twice a year - a self-assessment of their compliance with the GDPR. Level 2 controls are the responsibility of the Data Protection Officer and their team. They also audit the business line managers on a regular basis, analyse their responses and challenge them on their self-assessment. The objective is to measure the status of their compliance with reproducible indicators (KPIs) and to identify the points that have been improved and those that still need to be improved, the residual risks and the possible lack of resources allocated to compliance. The results and the action plans to be implemented are then documented in the form of reports that provide feedback to management and specialist committees and thus give them more visibility on the implementation of GDPR compliance. The third line of defence is provided by the internal audit.

The benefits of this data protection management system are manifold. You continuously monitor and control your GDPR compliance. You manage the risks. You inform and educate all stakeholders about their level of responsibility in handling personal data. What's more, the approach is simple - all you need is an Excel spreadsheet to create a single, decentralised dashboard – a solution that is pragmatic, agile, iterative and adaptable to any industry, regardless of the size of your business.

To find out more about our personal data protection management system, you can watch the replay of the webinar “GDPR: take control” or contact us.