Most people we are speaking to are facing the following decision: Do I run my data protection organization in spreadsheets or do I use a Data Protection Management Software (DPMS)? What are the advantages and disadvantages of either option? Let us have a look in this article.
Before we go into the pros and cons of either spreadsheets or a dedicated software, let us quickly recap what the goals are.
In simple terms, as a data protection coordinator or officer, your job is to build a data protection organization consisting of:
- An understanding of how personal data is being processed in the organization (legally, practically, technically, involved parties, etc.)
- Establishing processes handling certain events (data subject access requests, incidents, employee onboarding, and many more)
- Establishing processes for regular checks and audits
- Building documentation for reporting and accountability towards management and authorities
Spreadsheets are a good starting point, because they are free (aside from the general Microsoft Office license) and without commitment. They are flexible to use and almost anybody can (to some degree) work with them. A typical data protection organization with spreadsheets (and other office documents) might look like this:
- A file space containing documents for forms, documentation, reports, templates for signing and so on.
- One or more spreadsheets for lists of Processing activities, Vendors, Measures, TOMs, DPIAs and more
- Additional documents/intranet pages/wikis/handbooks/how-tos for employees providing instructions on “How to record a Processing Activity”, “How to report a vendor”, “How to carry out a DPIA” and where to find information
- Lastly, emails play a big role. Most data protection coordinators and officers delegate tasks and distribute files via email.
The ultimate advantage of spreadsheets and word processing documents is that they are infinitely flexible. Anything can be changed by anyone at any time as needed.
Furthermore, in spreadsheets it is easy to move data around. Formulas can be used for highlighting or displaying information in multiple places.
Since there is no overarching system explaining what files are for or what they (should) contain, a lot of contextual information is needed to operate and navigate a data protection organization based on files. New or part-time team members have a hard time finding their way.
Another disadvantage is data duplication. Because data resides inside documents and is copied (by hand) from one document to another, there is a risk of losing track of what is up to date (and what isn’t).
Because anything can be changed by anyone at any time, errors can easily occur when using formulas that reference between lists. There are limited options to reduce permissions for others.
Data Protection Management Software
A DPMS unites all the information and tools that would otherwise be in multiple files into one system. Taking the example of ECOMPLY, the DPMS contains:
- A web platform with user accounts
- Database-like features for keeping track of items
- Logical links between these items so they can be displayed in contextually relevant places
- Document generators to produce printable reports
- An email-notification system
- Social tools for annotation, task management and commenting
- A logbook
- Risk assessment tools
Because a DPMS is built as an all-in-one solution, it can offer functionalities that are impossible with a loose collection of files.
Information can be collected from multiple people flowing into a single data set (e.g. a Processing Activity).
Data storage (in the database) is disconnected from data display (in documents/reports) so that it can be exported flexibly into multiple formats. There is only one source of truth and it is always clear which information is current and up-to-date.
Teams can collaborate more effectively because the system user interface offers structure and advice for navigation. It is possible to leave comments and have discussions on items in-place. The logbook keeps track of who did what. The permissions system makes sure that people only have access to the right items.
Users can be notified about important occurrences via email because everything resides in a unified system.
Users transitioning from spreadsheets to a comprehensive DPMS will often be missing flexibility. Changing the structure of data and moving data around is not supported in a DPMS as freely as in spreadsheets, because there are many routines linked to it (permissions, translations, evaluations, validations, and many more).
A DPMS requires the user to adapt his working style to the architecture of the software. While this provides structure and is an enabler for many advanced features, it often feels limiting to the user.
Comparing spreadsheets with a DPMS is like comparing a craftsperson’s workshop to a factory floor.
The workshop (of spreadsheets) leaves maximum flexibility to the craftsperson (even to go as far as inventing new things) while having limited support for multiple people and providing little context to unfamiliar users.
The factory floor (i.e. the DPMS) is highly optimized for creating a pre-defined product with a pre-defined process. This leaves less room for flexibility, but can be operated more easily and produces higher quality results more consistently.
Whether a DPMS or spreadsheets are the right tool for you will ultimately depend on your needs. How large is your team? How many people are interacting with the data protection organization? How experienced are these people? Is it an option to adjust existing processes to align with the DPMS or do you need a strong degree of customization?
Let us know what you think!