Time is rapidly running out for organisations to meet the 25 May 2018 deadline to ensure the EU’s General Data Protection Regulation (GDPR) compliance requirements, so one would think that most organisations are frantically preparing for such a momentous change in data laws. Especially so, given that the financial penalty for failing to comply with GDPR will be either 4% of a company’s turnover or €20m, whichever is greater.
That’s not necessarily the case though. Recent research (Q4 2017) with European business leaders revealed that only 8% of businesses are ready for GDPR and have made the necessary compliance changes. More than half of those surveyed believe GDPR is too complex for middle-market businesses, while 26% admitted their organisation would not be compliant by May.
Equally concerning is that many organisations are not using the right tools to manage GDPR effectively. Microsoft Excel is one of the most widely used and it is incapable of assessing GDPR risks and issues, or of operating it on a continuous basis. This is why it is so unsuitable for GDPR.
The size and scale of the GDPR challenge
Excel is a perfectly adequate tool for managing static information. But GDPR data is not static – it is ever-changing and ever-growing and Excel simply cannot keep track of it effectively. Not only are there large volumes of GDPR data in many organisations, but it is stored in so many disparate places across the enterprise, and in so many different formats.
It’s no exaggeration to suggest that for big organisations especially, there could be around 500 different applications managing information. Not only are spreadsheets a hugely time inefficient way of managing this, there is the question of data ownership and permissions.
GDPR is heavily reliant on secure process and a strong permissions system, tracking who can access data and who has responsibility for it. Excel doesn’t manage any permissions whatsoever, and has no action or audit trail, so is completely unsuited to this element of GDPR. Using Excel for this would mean responsibility and ownership of data are almost entirely untracked.
Read our last article about operational risk management.