Still haven’t really started meeting the requirements for the EU’s new GDPR privacy rules? Gartner has predicted that “By 25 May 2018, less than 20% of all organizations worldwide will fully comply with the EU's GDPR.” Do you and your company fall into this category? If so, here are the types of tools that can help you get started (hopefully in time to meet the deadline if you start soon!)
On May 25th, the GDPR will go into effect for an organization holding or process personal data of EU citizens. The penalties for noncompliance are steep: 4 percent of annual turnover or 20 million euros, whichever is larger. The rationale behind the law is to protect the privacy of EU residents – even when the organization itself is located outside the EU.
To help organizations manage the complexity (and hopefully give you a jumpstart), a number of tools are on the market. However, these tools tend to apply to disparate issues within the total law. It is worth doing a serious inventory of the need within your organization to determine what is already in-house and be managed, and what still needs to be done. Broadly, you can divide the market into three different categories – those tools that provide an assessment, those that aid with the implementation, and those that facilitate the continuous monitoring and maintenance of the GDPR.
Assessment means different things to different roles within different organizations, and as such, it is easy to see a divide in the market as to just what an assessment provides. Snow, for instance, can identify the application versions that hold or transmit personal data and also flag devices that do not have appropriate GDPR controls. The International Association of Privacy Professionals (IAPP) & TRUSTe have joined forces to create a tool that asks sixty questions, mapped on GDPR requirements, and produces a gap analysis with recommendations. Opus also offers a tool that helps with supply-chain analysis by sending questionnaires about data security controls to third-party users to determine if they comply to GDPR requirements.
Implementation tools run the gamut from scripts that make websites compliant to full security management systems. For instance, Secureprivacy.ai provides an automated consent management solution to ensure that page-by-page, websites are compliant with the laws regarding opt-in/opt-out. Neupart Secure GDPR focuses on helping organizations implement GDPR processes with ready to use templates, impact assessment tools, and gap analysis to track compliancy status. Airclock Insights provides a tool that anonymized data for analysis so that it can be shared without restriction under the GDPR.
As the regulatory landscape will only become increasingly complex, it is wise for companies who go through the implementation to look seriously at what maintenance options are available to them. BigID Big Ops, for instance, uses machine learning to understand personal data in its context, and then catalogs it. OneTrust is another big name in privacy management software – and they offer tooling that continuously monitors an organization’s web pages to identify and categorize cookies.
The Total Platform
While most tools offer a discrete solution, Mavim (in combination with our partners) can offer end-users the full solution. PWC & Mavim have teamed up to create a quick scan assessment that provides insight into where your organization is now and where it needs to be to reach full compliance. Those recommendations can then be implemented with the Mavim software. Mavim provides a Microsoft-based software solution designed to help organizations visualize and demonstrate compliance to the GDPR. All relevant data and its organizational context (who is in charge of it, what is it purpose, where can it be found, etc.) can be stored and managed directly in Mavim, which allows you to stay audit-ready. When it is clear who does what, when and how, the regulator can quickly see that the business is compliant or is well on their way towards full compliance. The user-friendly Mavim portal allows the information to be shared with stakeholders to ensure compliance to the privacy regulations, as well as ensuring simple and straightforward auditing environment for regulators.