Why Business Process Management is a better choice than only process mapping in GDPR tools

Companies and organizations are experiencing the first stage of a new digital support: GDPR management tools. We analyzed some of them.

As for all previous cases of new business compliance processes there is today a growing number of tools in the market addressing the all new European privacy law, the General Data Protection Regulation, which came into force on May 25, 2018. Our main conclusion: these privacy tools have design limitations.

The problem

In some cases the approach of the solution is technological -systems designed as if they were independent or of static nature- while in other cases it’s functional, thus technical in compliance matters, still specific.

We classify both approaches as mainly marketing-oriented; not in order to criticize the quality of these tools as such but the fact that the solutions primarily are momentum-driven commercial opportunities for a sudden demand, which market is still not well versed on the subject. This practice raises issues, indeed.

Talking with GDPR experts it emerges that some entrepreneurs and executives have taken a vision which limits GDPR compliance to – a bureaucratic – document management or, even worse, they seem a one-shot maintenance-free operation. All despite the many and repeated warnings and risks of running into huge administrative fines.

Moreover, we have been confided that companies apparently prefer a non-matching real-world business processes above the presenting of  ‘official processes’ and carry on with their usual ones. The bottom line: the risk and the purpose of the compliance audit is dispelled although time and money is expended, and at a high risk cost at the same time.

Back to the past

We note a remarkable parallel to the 90’s when ISO quality certification was fashionable. It was not uncommon to find entrepreneurs chasing contingently after a series of certificates, however without any serious intention to change their company culture.

We have worked with quite a few of them at that time and, unfortunately but not by chance, none of them had enlighten their future after such choices. (None of them exist anymore in the market, but this is just a personal account.)

Three decades later quality at large -finally- seems widespread in many business environments, and process mapping & re-engineering is nothing new anymore. The resulting benefits are acknowledged as part of our business culture.

An innovative approach – a golden opportunity

Underestimating the interventions required to meet the GDPR or not taking advantage of all actions needed during this process, may lead companies to choose wrong tools that require serious compliancy efforts. Often this road also leads to the impossibility to become connected with other fundamental areas of competence such as Legal and Operations. Given all of the above, we raise a crucial question:

Why should companies and organizations re-map their processes only for GDPR purposes? Why do GDPR tools not start from managed processes?

Exchange standards are available, such as IDEFx, FFBD or BPMN 2.0 for modeling or universal standards like XML or Json, just to provide some examples. Then, how common it is actually the adoption of process mapping tools?

This lack of integration of best practices and previous investments leads to a costly attrition.