Microsoft Excel is fine – but don’t rely on it to manage GDPR

Time is rapidly running out for organisations to meet the 25 May 2018 deadline to ensure the EU’s General Data Protection Regulation (GDPR) compliance requirements, so one would think that most organisations are frantically preparing for such a momentous change in data laws. Especially so, given that the financial penalty for failing to comply with GDPR will be either 4% of a company’s turnover or €20m, whichever is greater.

That’s not necessarily the case though. Recent research (Q4 2017) with European business leaders revealed that only 8% of businesses are ready for GDPR and have made the necessary compliance changes. More than half of those surveyed believe GDPR is too complex for middle-market businesses, while 26% admitted their organisation would not be compliant by May.

Equally concerning is that many organisations are not using the right tools to manage GDPR effectively. Microsoft Excel is one of the most widely used and it is incapable of assessing GDPR risks and issues, or of operating it on a continuous basis. This is why it is so unsuitable for GDPR.

The size and scale of the GDPR challenge

Excel is a perfectly adequate tool for managing static information. But GDPR data is not static – it is ever-changing and ever-growing and Excel simply cannot keep track of it effectively. Not only are there large volumes of GDPR data in many organisations, but it is stored in so many disparate places across the enterprise, and in so many different formats.

It’s no exaggeration to suggest that for big organisations especially, there could be around 500 different applications managing information. Not only are spreadsheets a hugely time inefficient way of managing this, there is the question of data ownership and permissions.

GDPR is heavily reliant on secure process and a strong permissions system, tracking who can access data and who has responsibility for it. Excel doesn’t manage any permissions whatsoever, and has no action or audit trail, so is completely unsuited to this element of GDPR. Using Excel for this would mean responsibility and ownership of data are almost entirely untracked.

Excel cannot be the system itself

Because GDPR is so changeable, there is a real need for a much more dynamic data register than Microsoft Excel. Given the volume and complexity of the data involved in GDPR, the relationships held by that data are of the highest importance when looking for a dependency view of PI – process, entity, IT systems, data subject, ownership and much more.

To manage this PI data subject register, a more collaborative and central tool is essential, otherwise data relationships can be missed and the impact on GDPR from this can be catastrophic. Such a system can more easily maintain links with IT project steps, such as security.

Security is at the heart of GDPR and keeping consumer data secure in the digital world we now live in is why GDPR is being introduced. Any organisation seeking to keep data secure with Excel is facing an almost impossible task – no alerts when security could be comprised, no awareness when data has changed, been observed or been accessed.

GDPR is all about the process

When addressing any compliance – including GDPR – the smart place to start is always with business processes. If organisations try to address this within an application then the project is doomed to failure, and that’s why good GRC requires the right solution to manage it effectively.

OXIAL recently launched the OXIAL GDPR EXPRESS, based on the idea that compliance is an on-going and continuous process. It’s a solution that utilises automation of processes to ensure nothing falls through the cracks and users know exactly how their data relates to GDPR. Not only are they alerted when requirements change but they know that data is protected and kept secure at all times, and that new data coming into the business will be too.

Spreadsheets cannot even begin to compete with this level of functionality, requiring manual intervention for reporting, have no alert systems for security and they do not deliver workflow driven processes.

Microsoft Excel does have many uses in business, and a great many organisations would struggle without it. But just because people are comfortable and familiar using it, does not make it a suitable tool to manage GRC requirements in general, and GDPR specifically.

With the penalty for non-compliance with GDPR so strict, can organisations really risk managing GDPR with such a limited tool as Excel?