Compliance best practices: the business impact of a GRC system compared to Excel spreadsheets
Organisations often find it complex and time-consuming to maintain and update compliance documentation. Even when the data flow analysis and data mapping documentation are completed, the maintenance can be an unnecessarily difficult annual task of your organisation lacks appropriate tools.
In this article, we will compare managing GDPR documentation in Excel spreadsheets to using a Governance, Risk, and Compliance system (in short GRC system). We are aware that GRC systems differ in terms of offerings and features, but for the purpose of this article we will focus on GRC systems that contain features which are also found in Complyon’s own GRC system.
The benefits of using Excel spreadsheets as a compliance tool
According to our experience with customers, a lot of organisations use spreadsheets to document their data mapping and GDPR activities (GDPR art. 30 documentation).
Spreadsheets are usually the tool of choice for documenting these processes and their risks, because they have a low barrier of entry as most organisations already have the licenses and are familiar with the tool.
These spreadsheets become the main tool for staying GDPR compliant, which means the spreadsheets are used for documenting GDPR tasks and their status. They are also commonly used for dataflow analysis, and for documenting privacy and business risk as well as their mitigation possibilities.
For GDPR purposes, it is not only required to document these processing activities, but also the associated risks, and their mitigation possibilities.
Even though spreadsheets are a very versatile tool, there are several issues with relying solely on them.
3 reasons why spreadsheets are insufficient for GRC management
1) Updates need to be added in multiple places
Each spreadsheet often lives in a silo, resulting in data protection, risk management, and governance not being connected, meaning changes to one area are not reflected in another part. This means when updating the processing activity in the spreadsheets, you also need to manually update everything else related to this activity. The changes are not automatically embedded in the ecosystem of the processing activity so must be updated in several places.
2) Lack of accountability
Spreadsheets are usually located on shared folders, where a lot of people in the organisation have access to view and edit them, and there is no proper audit trail. In these situations, we often see different versions of the same spreadsheet in different locations. This means it is not possible to see the history of the changes and errors can go unnoticed and untraceable.
3) Rapid growth leads to confusion
The GDPR sheets quickly become very complex and impossible to maintain. This is usually seen when the spreadsheet is created in a small mapping exercise but then grows as the need expands until, in the end, it is impossible to verify the contents are correct, difficult to maintain, and more time consuming than necessary.
Most organisations are aware of these issues and try to mitigate them. Usually, one department will be granted ownership of a spreadsheet. Although some small organisations can have success with the spreadsheet approach, it is not a sustainable solution for most as it can become very expensive in the long run.
It’s also common that organisations struggle with updating and maintaining very large spreadsheets, as the responsibility is often placed with a single individual in the Legal department.
While spreadsheets are a great tool for quick documentation, for most companies, they are not a sufficient tool for governance, risk, and general compliance.
Where spreadsheets fail, GRC systems create value for your business
Existing documentation located in spreadsheets can be valuable when transitioning to a GRC tool, as spreadsheets can be used as a good foundation. Going from using spreadsheets to using a GRC system is beneficial when reporting on more detailed compliance documentation.
The documentation does not only fulfill GDPR requirements but can also be used to determine the security level, risks, IT strategy, and management compliance strategy.
3 key reasons to transition to a GRC system
1) Interrelated processes within GDPR improve reporting
Using a GRC system connects Legal, IT, and Cybersecurity departments by involving responsible individuals at the right time during the GDPR compliance project. This means that GDPR processes are not silo-based but interrelated within the GDPR processing activities, as every activity is connected to the rest of the processing line of personal data.
Due to interrelated data mapping, reporting is a possibility. In a GRC solution, interrelated data mapping creates the option to report on every layer of the data mapping. This means that if there is a need for a high level report on all GDPR processes or a need for a report on risk scenarios, the GRC solution can easily provide this.
One example of this is when updating data mapping according to a GDPR annual wheel, where you do not need to update everything manually, but instead only once. The image of a GRC solution below shows how to know when the status of existing documentation is updated in an GDPR art. 30 documentation overview. The highlighted process is ‘Finance’ and the underlying activities are shown to the right. The fields that are missing (organizational measures in the Budgets activity) and would otherwise complete the data mapping are marked with warning signs.
2) Control who has access and can make changes
When using a GRC system, you are not only logging every action taken, but also have reporting advantages – making it possible to report on what changes have been made, and what the data was previously, and who made the changes.
The list of people who can do this is minimal and only includes the owners of specific GDPR processes. In comparison to spreadsheets, it is only the owner of the GDPR process or the owner of the IT system who has access and can make changes. If changes happen, they will be reflected in the rest of the data mapping. This means every relevant part of the data mapping that is connected to a specific GDPR process or IT system will be updated with the new data automatically, without needing any human effort.
3) Save valuable time
Complyon conducted research with an existing client in the banking industry comparing how much time they saved using a GRC system in comparison to spreadsheets.
The research focused on the time spent when working on a compliance project in a smaller-sized bank, and showed savings of 294 hours per year per department (319 hours per year minus 25 hours per year). Exact results will be different dependent on sector, size, and complexity of companies, but it shows the potential for significant time savings across departments,
This is a lot of working hours to save and still receive a result that is not complete. It is important to say that the sector, size, and complexity of the company are important to have in mind. The more legally regulated the more time saved when using a GRC solution.
The outtake of this research was to know the exact effect on the core business data maintaining can have and how big of a “disruption” it is on the business. Involving a lot of internal resources in a compliance project not only disturbs the core business but also switching the employees’ focus from their actual work area.
This means 319 hours per year is a lot of working hours to disturb the core business instead of using 25 hours per year. Thus, every department benefit and no more manual updates.
To wrap up the advantages of using a GRC solution:
- Interrelated data mapping
- Log management
- Time saved
3 extra advantages of GRC systems
Besides the above-mentioned, using a GRC solution is like using a knife to cut the bread and not a spoon. GRC tool is not only provides the above, but also adds much more value.
1) A better overview
When using the right tool for compliance, you can see an overview of your work, providing easy access to where input is missing and understanding how far the project is in the overall plan.
Power BI-dashboards come in handy when reporting, monitoring and managing a large amount of data. Instead of having data scattered around the departments, it is easy to see the data in visual diagrams. BI dashboards give a live status in 5 seconds and is accessible 24 hours.
Power BI dashboards can give an overview of:
- Missing inputs in data mapping
- Status of different assessments (DPIA, BIA, or TIA)
- Implementation of frameworks (eg. ISO-standards)
Often every GRC system has dashboards available and used for some overviews but not always from data in the system. The advantages of having PowerBi connected to the input in the GRC system is much higher than individual data in the system and external dashboards.
2) Communication handled in the system
When using a GRC solution, as mentioned, it is possible to do assessments and as part of this, you can send questions out of the system to a specific third party and store the answers in the system. This means that you are managing and diving into the GRC project on a much more detailed level.
3) Interrelated frameworks
When using a GRC solution you can interrelate the frameworks that the business is following. This means that you can implement the result of the frameworks in the general business strategy. The Governance, Risk, and Compliance project then becomes one with the business and not a time-consuming project.
In the end to wrap up the bonus points of a GRC solution. The following are important to have in mind:
- BI-dashboard overview
- Automated assessments
- Easily implemented frameworks
What does the future look like?
One last thing to keep in mind in the future. It is important that an organisation must ask themselves where they want to stand in the future as Governance, Risk, and Compliance become more important every year.
As the business expands, more people will be involved in the compliance project, there will be more data, and the complexity of the data will also increase. Therefore, businesses need to consider if Excel spreadsheets that are suited for them this year will still be beneficial next year?