Skip to main content

GDPR: a matter of group governance

Make IT Safe ·

GDPR compliance, a group effort

One striking aspect of the General Data Protection Regulation (GDPR) is the ability of supervisory authorities to sanction organisations up to 4% of group turnover. This requires a global compliance effort across every entity in the group.

Several needs emerge:

  • a steering need by the compliance or control bodies of the group
  • a sharing need on GDPR guidelines and best practices across the group
  • a knowledge-sharing need around GDPR (converging with the awareness duty also introduced by GDPR).

A governance model suited to the group

Groups must therefore set up GDPR compliance governance (or include GDPR needs in broader compliance governance). Work led by Make IT Safe with clients has highlighted different governance mechanisms:

  • Governance models with a group-level Data Protection Officer (DPO), “lead” over subsidiary DPOs.
  • Models where a single entity establishes guidelines and steers compliance for every entity.
  • Models where compliance is largely delegated to the different group entities.

The governance type adopted depends heavily on initial organisation and context.

A need for tooling

Alongside governance definition, many groups identified the need for a tool. GDPR compliance requires many tasks (processing mapping, processor register, data-subject rights procedures…), continuous follow-up and increased responsiveness. Good initial organisation is no longer enough — groups need a complete group-wide steering tool.

Key selection criteria for a GDPR tool: features, how they ease compliance work and long-term compliance maintenance. Given group governance stakes, it’s also fundamental to consider the tool’s ability to carry the governance model adopted by the group.

Adaptability and agility for GDPR needs

A tool’s ability to adapt to a governance model is tied to:

  • Precisely describing the group structure.
  • Segregating compliance work by entity where needed.
  • Effectively describing compliance actor roles across the group.
  • Establishing hierarchies between entities and/or actors.

The need doesn’t stop there: a group is an organic structure that evolves. The tool must follow group evolution: new entities, mergers or integrations, actor changes, responsibility evolutions.

A good GDPR solution for large groups isn’t limited to matching the regulation’s articles — it also includes the group’s organisational dimension and the ability to adapt to the governance stakes of an evolving group.

Related articles

9 best practices to strengthen cybersecurity in your company

9 best practices to strengthen cybersecurity in your company

Read →
AI Act: who is concerned, by what, and how to comply

AI Act: who is concerned, by what, and how to comply

Read →
Cybersecurity risk assessment: how to identify, evaluate and control threats to your company

Cybersecurity risk assessment: how to identify, evaluate and control threats to your company

Read →