Are your spreadsheets putting your GDPR compliance at risk?


Venky Rangachari

Venky Rangachari is the Vice President of Information Technology and Security at Anaplan. He has over 20 years of experience in information technology, having held myriad strategic IT leadership roles at Thomson Reuters, Wyndham Hotel Group, StarCite (Amadeus), among other companies. Ensuring that company technology visions align with overall business strategies, Venky is a seasoned leader with extensive experience in real-time analytics, online e-commerce, and advanced technology.

The General Data Protection Regulation (GDPR) is a regulation enforced by the European Union that is intended to strengthen data protection and global compliancy to the newly imposed regulation recently reached an apex of anticipation.

In the months-long build-up to the May 25th deadline, adherence to the regulation became the talk of the town. It commenced countless obligatory “we’ve made changes to our Privacy Policy” emails, reformed strategic marketing and communications campaigns, bore the brunt of good-humored memes and tweets, and even went so far as to inspire a GDPR-themed Spotify playlist.

In other words: It nearly broke the internet.

Now, as the deadline has come and gone, many business professionals have let out a collective breath of compliant relief. However, will jovial celebrations of compliance be short-lived? Organizations that have incorporated GDPR compliance into their manual processes could still be playing a little too fast and loose with consumer data, which could result in unintended non-compliance and hefty penalties.

Failure to meet GDPR requirements can result in fines up to millions of dollars or four percent of the non-compliant company’s total global revenue for the preceding fiscal year, whichever is higher. These high-stake costs make it critical that businesses place high priority on a sustainable process that can ensure long-term compliance.

Unmasking the vulnerabilities of spreadsheets

As mentioned in a previous Anaplan blog, big data can bring about the potential for big security concerns. Businesses that rely on spreadsheets to store personal data could expose data anonymity and protection to high levels of risk, especially when spreadsheet documents are improperly shared, stored, or protected. Although there are many processes and safeguards that can be implemented to comply with GDPR, it would be very difficult to accomplish this in a spreadsheet alone.

For a sustainable compliance program, organizations should rely on a secure data storage platform that can help prevent any costly data breaches. Today’s technology can help organizations ensure that they meet compliance through refined control over user access, data types, and proper safeguards. Bring your own key (BYOK) encryption platforms that don’t retain access to customer data are ideal, as vendors using traditional relational databases typically have a database administrator who retains access to customer data.

The use of a BYOK solution provides businesses with an additional layer of data protection and further reduces risks of a data breach. It provides the ability to encrypt a company’s proprietary and confidential information in the cloud before incorporating it into planning models. This allows the customer to meet specific compliance and regulatory requirements while protecting its most valuable data assets on a single, monitored, and secure cloud platform and infrastructure.

Using the Anaplan platform to address GDPR

Anaplan provides one of the most secure and trusted Connected Planning platforms and has invested in a number of areas to strengthen user access and control, authentication, identification, and data encryption to provide greater confidence and trust. Anaplan will continue its ongoing investment in data security to help its customers meet standards of data privacy, protection, and rights.

With respect to GDPR specifically, Anaplan helps its customers ensure compliance in the following four ways:

    • Transparency into information use. The GDPR requires that organizations provide information about how the information of individuals is used.
        • Transparency is a key tenet of platform strategy for Anaplan. Anaplan’s Connected Planning platform is designed to allow customers to control their application data and monitor system access. Extensive log files document access and usage of all data that can be monitored by a customer’s Anaplan administrators, as set up by the customers.


      • Anaplan’s web privacy policy clearly articulates Anaplan’s practices for collection and processing of personal information from its website visitors, and the rights of those website visitors regarding Anaplan’s use of their personal information. Under Anaplan’s platform privacy policy, platform users are able to directly communicate with Anaplan’s privacy team regarding their data and other privacy-related issues.


    • Access controls. The GDPR requires organizations to implement technical and procedural measures to control who has access to personal information.
      • The Anaplan platform allows customers to control who can access their workspaces and models within Anaplan’s Connected Planning platform. Customers should work with their Data Protection Officer to ensure that this access is restricted to the appropriate parties.


    • Visibility into processing and data accessibility. Under the GDPR, individuals must be able to obtain a copy of their data and know how their data is being used.
      • Customers can request that their platform data be located with Anaplan in a specific region. Customers should work with their internal team to ensure that they have the proper policies and procedures in place for access restrictions. The Anaplan platform records model changes over time, allowing users to see the model history. Customers should evaluate this feature in detail to ensure that it meets their requirements.


    • Privacy by design. Under the GDPR, businesses must abide by account data privacy protections throughout all project stages and process development, from inception to execution.
      • With the Anaplan platform, customers can make the contents of individual cells or entire rows and columns read-only, editable, or invisible in the solution. The combination of Dynamic Cell Access with the Users list allows users to enter data but not view data entered by others.


Anaplan BYOK datasheetRead datasheet