Whether you are in the IT department or on the legal team, in recent weeks you’ve no doubt received announcements and advertisements offering technology solutions that promise to help you “achieve GDPR readiness.” While these products can help address certain compliance issues, it’s important to understand their limitations – and that GDPR compliance requires more than technology solutions. Before any tool can be useful, GDPR demands a combination of review, risk analysis and thoughtful decision-making on the part of your company.

While software solutions can help with discrete tasks – data mapping, controlling and monitoring who has access to data, and managing consent, to name a few – critical aspects of GDPR compliance require due diligence, planning and ongoing monitoring – tasks that technology cannot perform. These include, for example:

• Assessing the risk to individuals of data collection and processing – and determining how to mitigate those risks;
• Reviewing and amending your contractual agreements with vendors to be sure they understand their responsibilities with respect to the processing and protection of data;
• Making sure your privacy and information practices result in protections for individuals;
• Performing the due diligence necessary to be sure your vendors can comply with data protection and privacy law, and can meet the commitments stated in your privacy notice; and
• Educating your workforce.

Microsoft’s Azure package serves as an example of a tech solution that only partly addresses a company’s compliance needs. One of the many requirements of the GDPR is to understand your data and to make sure that only appropriate personnel can access it. Azure provides systems to help you identify what data you have and control who can access it. Its Active Directory secures your computing environments, data and applications, using multifactor authentication for sign in and identify management to manage access to data. It also provides a service that allows you to tag your data – to identify and secure it no matter where it is located or with whom you share it. Data tagging makes it possible to track its usage and revoke access to it remotely.

But while Azure provides the controls, it can’t do the analysis the GDPR requires – only you and your knowledgeable employees can do that. No matter what the technical tools, you’ll need to decide what data you collect, what you keep, and who can access it. Only then does a technical tool like Azure come into play, helping you implement the decisions only you can make.

Similarly, the Azure security tools – its Security Center, Data Encryption, Key Vault and Log Analytics – can help you build a secure environment in which to store and transfer data and to keep track of where it been and who’s accessed it. But before you build that environment, professionals at your company must understand your risk profile by assessing the sensitivity of your data and processing activity and understanding the nature of the threats you face. Only then does implementing technical tools make sense.

Finally, it’s important to remember that tools like Azure are limited in their coverage – in this case they protect only data stored and processed in the Azure environment, while GDPR requires data controls across all platforms and data applications. Moreover, a host of other considerations go into GDPR compliance – creation of a privacy policy, understanding your legitimate business interests, providing opportunities for individuals to access and correct their information to name a few.

GDPR compliance is an enterprise-wide project that involves more than the IT department or technology solutions. To get compliance right, companies need to take a comprehensive view of their data, make thoughtful decisions based on risk assessment about how to use and protect it responsibly, and only then use the necessary tools to implement those decisions.

 

Achieved Compliance – helping you navigate the complex world of data compliance.

Through its software guided review and remediation process, education tools and representation services, Achieved Compliance makes it possible for companies to take all the steps needed for meaningful compliance that meets regulators’ expectations.

For more information as to how we can help your organization be GDPR compliant please contact info@achievedcompliance.com.