1 KuppingerCole Maturity Level Matrix – How to use this document
The EU GDPR (General Data Protection Pro) has significant impact on how organizations can collect, store and process PII (Personally Identifiable Information. It applies to all organizations that do business with EU resident people, regardless of where these organizations reside and whether they have a subsidiary in the EU. That also applies to services that are free of charge, such as many search engines or social networks. Many organizations have initiated and implemented programs to work towards compliant systems and processes during the past few years.
1.1 Why GDPR readiness and compliance programs need regular reviews
IT systems and business processes evolve to support new use cases, business requirements, and deployment models. During these change processes it is important that compliance with all applicable regulations and especially with the GDPR is continuously ensured and all necessary evidence is collected. Unlike other regulations, there is no regular inspection of compliance with the requirements. Rather, individuals (including customers, employees or other relevant data subjects) and the competent supervisory authorities are able to make enquiries if alleged or actual omissions or offences are to be investigated. However, as yet there is no proof of GDPR compliance as a regular and permanent seal of quality.
However, assessing the quality and maturity of the controls, systems and processes implemented by an organization is essential. Given the level of agility required from business and market requirements this assessment needs to be executed on a regular basis. Continuous improvements are essential to achieve an adequate level of compliance in all key areas of the GDPR.
KuppingerCole strongly recommends regular reviews of the current state of IT projects and programs. This includes the review for maturity in the areas of compliance with regulatory or industry-specific regulations or frameworks. To support such reviews, KuppingerCole provides Maturity Level Matrixes that are specifically targeted to distinct areas of the IT market, in this case, GDPR readiness. The following sections elucidate the KuppingerCole Maturity Level Matrix for GDPR readiness.