A case study on GDPR compliance
The Information Security Compliance team at PROS, Inc needed to get away from the time-consuming manual tracking of spreadsheets saved on SharePoint in order to effectively manage audits and tackle GDPR compliance. With the adoption of Onspring, the team’s work time reduced by half while audit project outputs increased and compliance improved.
reduction in time to perform audits
hours per week saved per employee
While GDPR compliance acted as the catalyst to drive the business away from manual spreadsheets, any alternative solution had to also support their other complex responsibilities, including internal audit and third party (security) audit management, security council and security policies, cyber incident response management, corporate and security risk assessments, and vendor risk management.
New considerations from GDPR regulation required the team to start planning for implementation of new procedures, audits, and reporting to document not only their own compliance but all third-party processors.
- Contract updates were required to reflect adherence to GDPR regulations
- Risk assessments had to be conducted to evaluate each vendor’s security framework
- Any third-party processor not in compliance would violate PROS GDPR compliance
- 72-hour turnaround now required for any GDPR data request
- Detailed logs would be required to track all identifiable data collected
- Documentation of data management efforts were now required
- New data protection plans needed to be created and maintained
- Incident response plans for GDPR data requests need to be created and tested
- Periodic risk assessments specific to those plans needed scheduling and deployment
After reviewing several compliance software platforms, the Information Security Compliance team realized Onspring provided the most robust and practical approach to managing GDPR compliance . While also supporting the team’s other responsibilities around enterprise audits, vendor risk management, reporting security protocols, and cyber incident response management.
“Onspring did everything we needed and a thousand other things we didn’t even know we were looking for. The other tool was single-topic and not very flexible. Onspring gave us all the parts and options we needed, plus a framework of templates for future expansion.”
Flexibility & ease of use
The team immediately jumped into the platform by first attending Onspring-led training before playing around on their own inside the platform for a few days. This self-exploration of Onspring helped the team realize the easy, intuitive nature of setting up process workflows for risk assessments and audit projects, not to mention creating automated workflows and reports for all compliance programs.
With their Onspring implementation, the team could now manage their entire body of data, keep up with correspondence, track progress with reports and dashboards, find exactly the information needed, and tailor all workflows to fit their unique business processes.
Automation added to new increase efficiency of workflows:
- Design & operating tests: Auto-generated tests were established to conduct initial, year-end, and follow-up reviews that related controls to regulations, owners, and supporting evidence
- Vendor Surveys: Risk assessment surveys were created to send on a schedule to third-party processes for recurring reviews of security standards
- Documented findings: Auto-created records of findings from tests and assessments drove quick resolution action
Creating real-time compliance visibility
Reports were set up to provide real-time visibility into the details of controls associated with GDPR compliance, vendor assessments, and cyber incidents. Then reports were aggregated into dashboards to provide individual team members with at-a-glance views into their overall compliance program. At the request of senior management, an exec-level dashboard was set up to provide stakeholders with up-to-date information on overall compliance and risk management initiatives.
Controls could now be viewed in real-time without the effort of collecting and analyzing data.
New reports and dashboards aggregated views created for:
- Active controls by compliance and validation status
- Risk register controls by process name and compliance status
- Open design and operating tests by owner and status
- Open and past-due compliance mitigation plans by status and owner
PROS management of GDPR requirements has been seamless with the implementation of Onspring.