In a GDPR project or any data privacy related enterprise project, there are many ways to start and structure it. We’ll find as many individual approaches as there are companies who are managing data privacy requirements—all of them contributing to good results in good faith. Therefore, there is no wrong approach per se.

Knowing comprehensive data protection and privacy management is calling for orchestrated activities within processes, organizations, and heterogeneous system landscapes, a strategic plan and architecture (avoiding uncoordinated individual activities) sounds beneficial.

In addition, as companies start exploring new business models and evolving their digital transformation strategy, it might be wise to think about including sustainable data protection and privacy management architecture into that transformation journey.

I don’t want to introduce another new GDPR/data protection and privacy framework today. But it might be worthwhile to think through the following systematic approach and use it as a kind of cross check from another perspective. The listed capabilities aren’t meant to be complete, but can motivate you to check the status of your project and help you see how to improve its setup and tools.

The Environment

Keep in mind that in a GDPR/data privacy project, companies need a methodology to consolidate the various impacts of: heterogeneous system landscapes, the need to analyse their business processes where personal data are being processed, and change management within the organization.

1)The Ultimate Base: Data Security

Dealing with any kind of personal data requires proper security management and data breach data security is a prerequisite. The foundation covering these aspects:

  • Analysis of critical and sensitive access to personal data
  • Compliant authorization concept, incorporate policies in provisioning processes
  • Limited and fine-grained access management by using attributes to define specific policies
  • Identity management, customer identity management
  • Monitoring and reporting of data privacy incident/breach metrics (nature of breach, risk, root cause)
  • UI loggings
  • Third-party risk management

2)Governance and Accountability

Governance and accountability focuses on monitoring organizational readiness with questionnaires and assessments, prioritizes requirements for compliance, and provides executive-level visibility with detailed reports:

  • Maintain inventory of personal data holdings. What and where personal data is held and processed
  • Conduct enterprise data privacy impacts risk assessment
  • Maintain corporate data privacy policies, including employee data privacy policies
  • Conduct employee training and certifications
  • Document legal requirements, ownership, purpose and integration into internal control system
  • Report and monitor risks, controls, and compliance status
  • Integrate into internal and external audit process

3)Data Management

This data management section is all about establishing the technical capabilities to discover, localize, and visualize personal data categories and flows to manage data subjects consent and other preferences:

  • Identification and categorization, tagging, indexing, and mapping of personal data
  • Managing procedures for blocking, rectification, deletion, and archiving of personal data
  • De-personalization: encryption, pseudonym-izing
  • Data minimizing (UI masking and so on)
  • Cross-border data transfer, including controls, geo fencing
  • Data flow analysis

4)Enterprise Interactions

In order to handle a data subject’s consent and other requests, as well as interactions with authorities, companies will need a portal that provides services like:

  • Consent management for data subjects, grant and revoke consent
  • Receive and acknowledge privacy notices
  • Authority interactions
  • Customer preference management
  • Access to personal data requests
  • Breach notification handling, maintain a data privacy incident/breach response plan

Bottom Line

Yes, there are many other ways to structure your program, but I think it’s worth it to at least have a deeper look at it. And remember:

  • Be open for innovations—integrate a program into your digital transformation strategy and try to avoid starting un-coordinated point solutions for pain relief
  • Involve all stakeholders in your company and manage this program holistically

Learn More

  • Visit SAP’s GDPR compliance webpage for more information and education about GDPR
  • Check out the GDPR product webpage for resources about which SAP solutions and services could help you govern your GDPR program and manage and protect your data for sustainable GDPR compliance
  • Read our other GDPR-specific blogs
NOTE: The information contained in this blog represents the author’s personal opinion and is for general guidance only and provided on the understanding that SAP is not herein engaged in rendering legal advice. As such, it should not be used as a substitute for legal consultation. SAP SE accepts no liability for any actions taken as response hereto. It is the customer’s responsibility to adopt measures that the customer deems appropriate to achieve GDPR compliance.
VN:F [1.9.22_1171]
Rating: 4.7/5 (3 votes cast)
GRC Tuesdays: A Simple, Four-Pillar Approach to Structuring Data Protection and Privacy (GDPR) Programs, 4.7 out of 5 based on 3 ratings