Companies and organizations are experiencing the first stage of a new digital support: GDPR management tools. We analyzed some of them.

The problem

In some cases the approach of the solution is technological -systems designed as if they were independent or of static nature- while in other cases it’s functional, thus technical in compliance matters, still specific.

We classify both approaches as mainly marketing-oriented; not in order to criticize the quality of these tools as such but the fact that the solutions primarily are momentum-driven commercial opportunities for a sudden demand, which market is still not well versed on the subject. This practice raises issues, indeed.

Talking with GDPR experts it emerges that some entrepreneurs and executives have taken a vision which limits GDPR compliance to – a bureaucratic – document management or, even worse, they seem a one-shot maintenance-free operation. All despite the many and repeated warnings and risks of running into huge administrative fines.

Moreover, we have been confided that companies apparently prefer a non-matching real-world business processes above the presenting of  ‘official processes’ and carry on with their usual ones. The bottom line: the risk and the purpose of the compliance audit is dispelled although time and money is expended, and at a high risk cost at the same time.

Back to the past

We note a remarkable parallel to the 90’s when ISO quality certification was fashionable. It was not uncommon to find entrepreneurs chasing contingently after a series of certificates, however without any serious intention to change their company culture.

We have worked with quite a few of them at that time and, unfortunately but not by chance, none of them had enlighten their future after such choices. (None of them exist anymore in the market, but this is just a personal account.)

Three decades later quality at large -finally- seems widespread in many business environments, and process mapping & re-engineering is nothing new anymore. The resulting benefits are acknowledged as part of our business culture.

An innovative approach – a golden opportunity

Underestimating the interventions required to meet the GDPR or not taking advantage of all actions needed during this process, may lead companies to choose wrong tools that require serious compliancy efforts. Often this road also leads to the impossibility to become connected with other fundamental areas of competence such as Legal and Operations. Given all of the above, we raise a crucial question:

Why should companies and organizations re-map their processes only for GDPR purposes? Why do GDPR tools not start from managed processes?

Exchange standards are available, such as IDEFx, FFBD or BPMN 2.0 for modeling or universal standards like XML or Json, just to provide some examples. Then, how common it is actually the adoption of process mapping tools?

This lack of integration of best practices and previous investments leads to a costly attrition.

Aziende e organizzazioni stanno vivendo la prima fase di un nuovo supporto digitale: gli strumenti di gestione del GDPR. Ne abbiamo analizzati alcuni.

Come per tutti i casi precedenti di nuovi processi di conformità aziendale, oggi c’è un numero crescente di strumenti sul mercato che affrontano la nuovissima legge europea sulla privacy, il Regolamento generale sulla protezione dei dati, entrato in vigore il 25 maggio 2018. Il nostro principale conclusione: questi strumenti per la privacy hanno limitazioni di progettazione.

Il problema

In alcuni casi l’approccio della soluzione è tecnologico -sistemi progettati come se fossero indipendenti o di natura statica- mentre in altri casi è funzionale, quindi tecnico in materia di compliance, ancora specifico.

Classifichiamo entrambi gli approcci come principalmente orientati al marketing; non per criticare la qualità di questi strumenti in quanto tali, ma il fatto che le soluzioni sono principalmente opportunità commerciali guidate dallo slancio per una domanda improvvisa, il cui mercato non è ancora esperto in materia. Questa pratica solleva problemi, anzi.

Parlando con gli esperti di GDPR emerge che alcuni imprenditori e dirigenti hanno adottato una visione che limita la conformità al GDPR a una gestione – burocratica – dei documenti o, peggio ancora, sembrano un’operazione one-shot che non richiede manutenzione. Il tutto nonostante i tanti e ripetuti avvertimenti e rischi di incorrere in enormi sanzioni amministrative.

Inoltre, ci è stato confidato che le aziende apparentemente preferiscono processi di business del mondo reale non corrispondenti rispetto alla presentazione di “processi ufficiali” e continuano con quelli abituali. Conclusione: il rischio e lo scopo dell’audit di conformità vengono dissipati nonostante si spenda tempo e denaro e allo stesso tempo con un costo di rischio elevato.

Ritorno al passato

Notiamo un notevole parallelo con gli anni ’90, quando la certificazione di qualità ISO era di moda. Non era raro trovare imprenditori che inseguivano in modo contingente una serie di certificati, senza tuttavia alcuna seria intenzione di cambiare la loro cultura aziendale.

Abbiamo lavorato con un bel po ‘di loro in quel momento e, purtroppo ma non a caso, nessuno di loro aveva illuminato il proprio futuro dopo tali scelte. (Nessuno di loro esiste più sul mercato, ma questo è solo un account personale.)

Tre decenni dopo, la qualità in generale, infine, sembra diffusa in molti ambienti aziendali e la mappatura e la reingegnerizzazione dei processi non sono più una novità. I vantaggi che ne derivano sono riconosciuti come parte della nostra cultura aziendale.

Un approccio innovativo: un’opportunità

Sottovalutare gli interventi necessari per soddisfare il GDPR o non sfruttare tutte le azioni necessarie durante questo processo, può portare le aziende a scegliere strumenti sbagliati che richiedono un serio impegno di conformità. Spesso questa strada porta anche all’impossibilità di collegarsi ad altre aree di competenza fondamentali come Legale e Operativo. Considerato tutto quanto sopra, solleviamo una domanda cruciale:

Perché le aziende e le organizzazioni dovrebbero mappare i propri processi solo ai fini del GDPR? Perché gli strumenti GDPR non partono dai processi gestiti?

Sono disponibili standard di scambio, come IDEFx, FFBD o BPMN 2.0 per la modellazione o standard universali come XML o Json, solo per fornire alcuni esempi. Allora, quanto è comune l’adozione di strumenti di mappatura dei processi?

Questa mancanza di integrazione delle migliori pratiche e degli investimenti precedenti porta a un costoso logoramento.

Contract Management tools and CLM (Contract Lifecycle Management) practices offer the opportunity to integrate managed processes from the very beginning of the data stream: the contracts. Article 28 of GDPR provides some guidelines that we develop in this paper.

Contracts and GDPR

Organizations can almost easily identify the source of sensitive data in their contracts, either because contracts de facto represent the data collecting events (B2C and B2B) or because data treatment or manipulation is the subject of contracts themselves (B2B). This latter is the case of third parties involved in data manipulation or data treatment, the so-called “processors” by article 28 of the GDPR. Relationship with these parties is regulated by contracts.

Article 28

EU general data protection regulation 2016/679 (GDPR), in effect since 25 May 2018, states in Article 28 that

“…the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.” 

Wording in bold characters in the above quoted text is not our personal typographic choice. The impact of this article has not been overviewed by Brussels yet but the concept is crystal clear: processor’s responsibility goes beyond his own organization; it extends to the whole business network it relies on. This also affects foreign companies and organizations that treat EU citizen’s data.

When dealing with sensitive data the governance of relations with processors by contracts is not a common-sense or best practice anymore but an obligation as dictates Article 28, paragraph nr. 3:

“Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller […]”

From a practical point of view, organizations should develop governance procedures for managing the sensitive data chain and all relations with processors assuring their compliance. This is where CLM can help.

How can CLM help?

CLM’s basic principle is taking full control of the contract lifecycle and all contract related aspects impacting organizational issues. This means that by using CLM practices companies have the ability to control and manage direct relations between business processes and contracts, considering the latter as sources.

It is a fact that Legal Audit is a fast and precise operation when CLM tools are adopted. The same cannot be said about traditional or manual legal management: in one of our customers the Legal Audit process was reduced, after adopting CLM, from 2 or 3 days to 30 minutes.

All the above can be translated into the following general actions:

1. Identifying specific contracts and contract categories that represent sources of sensitive data.
2. Identifying IT and service contracts with third-parties and contractors related to a).
3. Collecting contracts in b) for auditing the GDPR required guarantees and compliancy of the involved parties for the whole data stream.
4. Integrating CLM with Business Process Management and its link to the GDPR process management: data treatment audit items should be identified with their legal sources in order to guarantee their management and enhance all following process maintenance.
5. Evaluating the opportunity of sharing the same tools as common language between controller and processor.
6. Managing GDPR processes (audit and maintenance) using the legal perspective as a starting point.

Conclusions

Organizations need support regarding EU sensitive data manipulation compliance; complex activities must be managed involving IT and service contracts review. Contract Lifecycle Management tools help organizations in the tedious task of identifying and collecting their processors for a correct GDPR risk management.

This article is also available in LinkedIn, in pdf format, here.

As for all previous cases of new business compliance processes there is today a growing number of tools in the market addressing the all new European privacy law, the General Data Protection Regulation, which came into force on May 25, 2018. Our main conclusion: these privacy tools have design limitations.

The problem

In some cases the approach of the solution is technological -systems designed as if they were independent or of static nature- while in other cases it’s functional, thus technical in compliance matters, still specific.

We classify both approaches as mainly marketing-oriented; not in order to criticize the quality of these tools as such but the fact that the solutions primarily are momentum-driven commercial opportunities for a sudden demand, which market is still not well versed on the subject. This practice raises issues, indeed.

Talking with GDPR experts it emerges that some entrepreneurs and executives have taken a vision which limits GDPR compliance to – a bureaucratic – document management or, even worse, they seem a one-shot maintenance-free operation. All despite the many and repeated warnings and risks of running into huge administrative fines.

Moreover, we have been confided that companies apparently prefer a non-matching real-world business processes above the presenting of  ‘official processes’ and carry on with their usual ones. The bottom line: the risk and the purpose of the compliance audit is dispelled although time and money is expended, and at a high risk cost at the same time.

Back to the past

We note a remarkable parallel to the 90’s when ISO quality certification was fashionable. It was not uncommon to find entrepreneurs chasing contingently after a series of certificates, however without any serious intention to change their company culture.

We have worked with quite a few of them at that time and, unfortunately but not by chance, none of them had enlighten their future after such choices. (None of them exist anymore in the market, but this is just a personal account.)

Three decades later quality at large -finally- seems widespread in many business environments, and process mapping & re-engineering is nothing new anymore. The resulting benefits are acknowledged as part of our business culture.

An innovative approach – a golden opportunity

Underestimating the interventions required to meet the GDPR or not taking advantage of all actions needed during this process, may lead companies to choose wrong tools that require serious compliancy efforts. Often this road also leads to the impossibility to become connected with other fundamental areas of competence such as Legal and Operations. Given all of the above, we raise a crucial question:

Why should companies and organizations re-map their processes only for GDPR purposes? Why do GDPR tools not start from managed processes?

Exchange standards are available, such as IDEFx, FFBD or BPMN 2.0 for modeling or universal standards like XML or Json, just to provide some examples. Then, how common it is actually the adoption of process mapping tools?

This lack of integration of best practices and previous investments leads to a costly attrition.