Written by: Mohit Sahgal

Good news: this is not another blog on GDPR, articles, recitals, dates, fines, etc.  Rather, building on the previous DPIA implementation approach, this blog focuses on GDPR program management, specifically the requirements to have demonstrable governance, risk management, and controls (aka “GRC”).

GDPR can’t just be managed with good legal teams, program management, resources, tools, manual intervention, hope, and wishes.  The only way to effectively and efficiently manage GDPR is with GRC technology.  There are hundreds of GRC software packages, many claiming to address GDPR, but many fall short of this goal.  Why?  Two specific reasons: 1) no diagnostic formulated by legal counsel to interpret and qualify the potential impact of GDPR; and 2) no organized set of baseline GDPR risk remediation strategies and controls that are customizable and extendable.  Most organizations need a starting point to accelerate DPIA, including documenting the results and identifying, prioritizing, and assigning necessary actions.  Most organizations don’t need another GRC documentation tool without any legal guidance or structure.

One GRC company ahead of the competition is IVIS.  IVIS Pro addresses both of the above gaps.  IVIS Pro incorporates a detailed risk self-assessment developed by Polsinelli, and 51 suggested controls organized around 11 major themes developed by Huntington Ingalls Industries.  IVIS Pro provides a foundation for GDPR risk identification, documentation, mitigation, and progress tracking visibly lacking in other GRC solutions.

While each organization must individually evaluate the impact of GDPR, knowing where to start and how to start can be half the battle.  Why start from scratch? 

References:
1. IVIS, http://ivis.com/
2. Polsinelli, https://www.polsinelli.com/
3. Huntington Ingalls Industries, https://www.huntingtoningalls.com/