To us, GDPR compliance is ultimately about risk management rather than being only about compliance.
An organization being found to be non-compliant with GDPR will experience a negative reputational impact given the global profile of GDPR. When reputation is impacted, the valuation of the organization is negatively impacted given the expected negative impact on sales and revenue of negative market news about the organization.
To address this risk in a structured manner, we have created a GDPR governance diagnostic tool, the outcome of which should be used by boards of directors to perform informed oversight of GDPR compliance in the organization.
Assessing over 50 categories of compliance (the actual number differs per organization), the tool provides a structure by which to assess the extent of management's efforts to achieve GDPR compliance, as part of the GDPR requirement of both data controllers and data processors to be able to demonstrate compliance. Not only this, the outcome provides a means to monitor the risks.
The image above illustrates the depth of our compliance assessment and analysis across eight GDPR compliance categories, giving the board a clear understanding of the specific operating model constructs (the coloured circles) needed to achieve compliance for each element within each category. The blank boxes above are compliance elements that are not relevant to this particular business.
Also reported is the progress and trend of the work required to become compliant in each of the highlighted areas. This enable the easy identification of efforts that have stagnated, thereby enabling any board member, whether they understand GDPR or not, the ability to ask the relevant oversight questions.
Our diagnostics provide the board with everything it needs to govern the risks associated with deploying the relevant levels of data security and data privacy, as well as governing the risks associated with not being fully GDPR compliant.