A Framework to Keep your Organization GDPR Compliant


Posted on: Oct 27, 2015 by Abbas Shahim

In my 3 Ways Being Compliant with GDPR Could be Good for Your Business , I highlighted that the impact of the GDPR regulation was woefully underestimated. Here I discuss why compliance is crucial and outline a framework that can be used as an instrument to support organizations to stay compliant with GDPR. This is not a box-ticking exercise but a fundamental shift in how compliance is performed.

Firstly, there are many implications of compliance and definitions circulating but in my view there are two key principles.

It’s a license to operate – if you’re a bank, hospital or government body in particular – it is your mandate to be compliant especially when handling sensitive citizen data. Only more legislation will come to these types of organizations, so it’s important to embed processes now as a daily occurrence; it cannot be a once a year exercise.

The behavior and culture of the organization – while compliance initiatives take their lead from the board of directors it has to be something that becomes part of the DNA of the entire business, catalyzing behavior change among employees. If it is only driven from the top, then compliance pushes will work 3-4 times but on the fifth time it’s likely that the business could come unstuck.

Given how critical compliance is it’s important that not just technology processes are considered but its integration with business processes and the information provision around it. Here I outline a framework to help organizations stay on the right side of the forthcoming GDPR regulation.

  1. Understanding Data Governance – before you embark on a compliance project it’s important to have quality data to hand so you can understand the source of the data, which system or application it is held in and whether the information is accurate and complete. If third parties are involved, ensure contractual agreements are in place about the storage and ownership of this data.
  2. Design a Gap Analysis – organizations will already have a series of controls in place around privacy. However, when a new piece of legislation comes into force such as GDPR, it’s important to assess which controls will suffice to meet the legislation and ascertain where the controls need to be expanded.
  3. Develop and Design Controls – once you’ve identified the weaknesses in your compliance process, for instance, they could exist in your HR or finance department, you need to define and implement new controls to stem these gaps.
  4. Install Encryption Packages - this will help to ensure the safe transferal of individuals’ data whether it relates to a client, supplier or employee. There is still a privacy risk potentially – if an individual uses that data for a purpose that was unauthorized.
  5. Proving Compliance and Traceability of Information – it’s important to have all the data in place for all the questions compliance auditors may have. It is worth considering using a third party to play a quality assurance role before the auditors arrive. We’re helping global firms prove they are compliant backed up by accurate and complete information.

Privacy is increasingly something that people care about and organizations need to have a complete picture of their data estate so they can robustly prove they are compliant and build trust with their suppliers, clients and citizens. It won’t be long before GDPR arrives so now is the time to assess your data governance, security and privacy controls in the round.

Share this blog article


About Abbas Shahim

Business & Management Consultant
Abbas Shahim is partner at Atos Consulting where he heads the international GRC practice. He is also full professor of IT Auditing and GRC at the VU University Amsterdam.

Follow or contact Abbas