Structure
Structure is the foundation for all compliance work. You can't decorate a house without building it first, you can't drive a car without an engine and you can't start protecting your data before building the right structure. Mark the word right. It is possible to start with the wrong structure and that can lead to confusion and an inaccurate overview. Trust us, we've seen it happen.
In Wired Relations the structure is very simple. It goes: Systems, vendors, processing activities. The first step when starting from scratch is to map out the systems your organisation uses. Simply write down its name, what you use it for, and who delivers it to you. This will automatically lead you to mapping out your vendors. Who are they, and are they data processors or not? Then, lastly, you can map out your processing activities.
That's it. That is the foundation and a default in Wired Relations. Whether you are a small company using just two systems, or a large international corporation dealing with hundreds of systems and constant new regulations, it will be easy to work with.
We have talked to clients who started their compliance processes with consultants setting up complex structures for them, that they never fully understood or knew how to work with. And we have seen clients who opened an Excel spreadsheet and made three columns: Systems, vendors, processing activities.
Guess who was more mature on their compliance journey?
Overview
When you open Wired Relations, it should never take more than an hour to get an overview of your compliance work.
That is our mantra. Feel free to test us on it.
It is built in a way so that everytime you fill out an assessment, you will get an overview over how you have progressed with it. And everytime you add a new task, you will be asked to consider how you will continue to work with it. Do you need to repeat the task at the same time next year? Do you need to make a control continuously every sixth month? Do you need to delegate the task to a colleague?
This is what makes the work sustainable, makes it a process instead of a project.
All these considerations of course require a strict overview. For this reason you will in Wired Relations find registers that show you the status of your work.
For instance your tasks:
If you're the administrator you can also see how far others are in solving their tasks. And don’t worry about missing things. If you have been deemed responsible for a task, you will be sent an email when it's time to perform it.
By using this approach you will get the work anchored in the organisation. The knowledge and all the hard work will be inside the solution instead of inside a colleague's head or scattered all over Word documents, Excel spreadsheets and emails.
Collaboration
A great overview is also essential for effective collaboration and involving others in the work. It provides the necessary context for those who need to participate. Without understanding the context, it's hard for people to know why they should prioritise the task.
Compliance work isn't just about filling in information. It involves training employees, deciding how to respond to new legislation, and constantly strategising about the next steps. You can't get an overview of all that from a PDF file. You need a document in motion.
Control
A big part of compliance is controls, and adhering to the controls. One control could - quite literally - be to walk around the building now and again checking if the locks are working properly. But the same goes for all your IT systems – are they prepared in case of an attack?
Once you’ve completed the controls, a list of completed actions will be available, showing accountability. Another very important thing. Accountability is such an inherent part of GDPR and deserves as much attention as the rest of the compliance work.
Those were the words.
Society and regulations will change all the time. But what is in focus here is what doesn’t change: That you need people to run the compliance work. And that there is a shortage of them. So take ownership from the beginning, practice structure, overview and control and anchor the process in your GRC solution.