Software for the Management of the GDPR in the Company
A software for the management of the GDPR can represent a valid tool to support corporate compliance, but it must guarantee all the standards necessary for the protection of personal data.
With the entry into force of the European regulation on the protection of personal data 679/2016 we are witnessing a proliferation of software solutions for the management of the GDPR.
If on the one hand a management solution rather than a documentary one can represent a valid compliance tool or, better said, of support for corporate compliance or for public administrations, on the other hand it is also true that the choice of software must be made wisely.
Choosing a management software with your eyes closed exposes the owner or manager of the treatment to significant risks. An adequate solution must take into account the needs of the company or the public administration, to monitor and review the processes in a safe environment and be easily usable both by the users in charge and by the external consultant.
It is therefore useful to highlight what requirements an efficient management system should have, to guarantee adequate standards regarding data protection, analyzing the critical issues that many GDPR management software in circulation present from different points of view.
GDPR Management Software: Adequacy and Accountability
Owners and managers very often decide to rely on software for the management of the GDPR rather than contacting expert or self-styled consultants.
This choice is not – in the abstract – neither a bad nor a good, but the choice of the software, like that of the consultant and the organizational model, must be made carefully as identifying an inadequate solution exposes the owner to significant responsibilities.
It is useful to specify, however, that not always relying on software (especially if identified on the basis of a mere cost containment criterion) is the best solution, even if the choice of an adequate software can really give real added value.
Very often the function of the software is to print paper, without guaranteeing any possibility of customization to the consultant and the company organization, with serious prejudice to corporate accountability and the accountability that the GDPR requires for corporate organizations to acquire.
Many of these application programs make it possible to carry out a purely formal and paper-based adjustment, to the detriment of company processes and expose the parties involved in the treatment to specific risks.
It follows that neither the security of the treatments is increased, nor does the company protection policies improve, which could otherwise be compromised.
Adequate Management Solution
Every self-respecting adjustment process can (or rather must) go through a necessary path of awareness and empowerment of the owner and of the subjects involved in the processing operations, in which the choice of an adequate management solution represents or should represent mere piece.
On the one hand we find a market with offers that develop innovative methods based on science fiction algorithms, which allow with one click to solve any problem relating to the protection of personal data and the management of information in the company: indispensable and necessary tools for every self-respecting consultant..
On the other hand, there are also solutions that have interfaces of poor usability and can only be used by experienced professionals, with a significant degree of difficulty, with consequent damage to the company’s data protection and information security policies.
The best solutions, on the other hand, have prohibitive costs and are not within the reach of all the owners and managers who process personal data.
In contrast to these peaks lost in the mists of Mount Olympus, there are also solutions on the market that offer DPO services at 20 euros per month to owners who manage boutiques, hairdressers or other small businesses.
Needless to say, these solutions risk being not only a useless cost, but even dangerous as they instill a false sense of security that in life, both professional and personal, is always as harmful as excessive fear.
A management solution must not be an aim to aspire to either the company organization or the consultant, but a means to achieve an adequate level of data protection which, if used in the right way, can really bring that added value that companies are looking for: a process to document, monitor and manage fulfilments and procedures with simplicity, especially in the documentation phase.
The application must not create paper armor, but must be a window that allows the consultant or DPO to enter the company directly to make direct contact with the internal privacy officer (or company designated to use the terminology of the privacy code) and to constantly and fairly easily monitor the registers, company procedures, contracts, risk analysis and, above all, to allow constant and efficient updating of the models according to the logic of fluidity that the GDPR requires.
In this sense, the owner should make it possible to keep data protection under control by opening a dialogue window between consultants and external DPOs, who know the legislation well, the company contacts who, best of all, know company practices and processes with a experience that an outsider will hardly be able to acquire.
Basically, a suitable software solution should be highly customizable based on the owner’s needs, based on the processes he creates, easily usable and manageable both for the external consultant and / or DPO and for the internal privacy officer (usability), immediately updatable, with a view to constantly monitoring all processes (updatability).
Finally, given that the management solutions offered treat personal data, it is essential that the one who offers is the first to ensure high standards of information security and the conservation of the information in a safe environment.