If you’re not using a tool, you’re not taking it seriously
Software tools are essential to running various aspects of a company’s business, from HR to customer service. They ensure operational efficiencies and regulatory compliance. GDPR is no exception – it too will need a software tool.
The question is: what’s that tool going to be? Excel seems to be the most immediate option, given that most companies started their data privacy efforts using it. After all, Article 30’s Records of Processing, which the regulator can request at any time, is quite a trivial report that is easily done in Excel.
Don’t be fooled by the trivial Article 30 reporting
But the Records of Processing is just tip of the iceberg.
Below the waterline lies a whole raft of interconnected information, from general principles and individual rights to accountability and governance. Attempting to manage all this in a spaghetti of Excel sheets is a non-starter. Anyone who tries it will quickly realise that it is unmaintainable, unshareable and unscaleable. In short, it is a recipe for operational inefficiencies and non-compliance.
So how can tools help? I have tested over 10 GDPR tools hands-on with a trial account. The products are all SaaS cloud-based (some have on-premises options), with pricing from around €300/mth to €1500/mth based on number of users. Here are the main features I came across:
Regardless of the size of your organisation or the scope of your data protection obligations, you will need a tool that is able to cover at least features 1–5. Features 6–9 are certainly desirable, and 10–11 are dependent on your type of business.
What signal do you want to send to the regulator?
Managing your GDPR obligations in a software tool will give you the operational efficiencies to focus on the actual business of data privacy and compliance. It will certainly send the right signal to the regulator that you are taking GDPR seriously.
Using Excel, however, will simply get you bogged down in admin and leave you exposed to incidents and accidents. And it will certainly suggest to the regulator that, at best, you haven’t understood what GDPR is all about; and at worst, that you are not taking it seriously.