What spreadsheets do well
Let's be direct: a spreadsheet is not a bad tool. For many organizations that started working toward Law 25 compliance, it was the logical starting point. Quick to create, accessible to the whole team, easy to adapt. If you documented your information inventory or your incident registry in Excel or Google Sheets, you accomplished something concrete.
The problem is not the spreadsheet itself. It is that Law 25 obligations have a continuity dimension that spreadsheets handle poorly as the organization grows or processes become more complex.
Why spreadsheets reach their limits
Concurrent access creates version problems. Law 25 compliance touches multiple people in an organization: the privacy officer, human resources, IT teams, sometimes operations. When several people modify the same file, versions multiply, errors creep in, and it becomes difficult to know which version is authoritative.
There is no audit trail. Law 25 requires your organization to be able to demonstrate what it did, when it did it, and who did it. A spreadsheet does not reliably track changes over time. If the CAI asks you to prove that you notified affected individuals within the required timeframe, a modified cell in an Excel file is not compelling evidence.
Deadline tracking is not automatic. Law 25 generates recurring deadlines: incident notification timelines (72 hours for the CAI), response deadlines for access requests (30 days), periodic reviews of assessments. A spreadsheet will not alert you when a deadline is approaching. You have to remember to check, which introduces the risk of oversight.
Generating reports takes time. When it is time to assess compliance, present the status of incidents to management, or prepare a response to an access request, a spreadsheet forces you to do that work manually. The more entries an organization accumulates, the longer this task becomes.
The situations where the limits become real
Here are some concrete scenarios where teams realize the spreadsheet is no longer sufficient:
-
A privacy incident occurs on a Friday evening. The responsible person needs to find the incident form, document the risk assessment, and decide whether to notify the CAI within 72 hours. With a spreadsheet, finding the right template and ensuring all required fields are completed takes extra effort under pressure.
-
A person submits a request to access their personal information. You have 30 days to respond. The spreadsheet does not remind you of the deadline. If the person responsible for the file is absent, how does their replacement know the request exists and that the clock is running?
-
Management requests a compliance summary for the board of directors. Compiling the relevant information from multiple tabs across multiple files takes hours, and the result is never quite current.
When to move to a structured tool
There is no universal threshold. Some 20-person organizations have complex processes that quickly justify a dedicated tool; others with 200 people still work well with well-organized files.
Here are the signals that indicate the time has come:
- Multiple people need to update the same registries
- You have experienced an incident and realized your documentation was not ready
- You need to generate regular reports for management or a committee
- Your organization has overlapping compliance obligations (Law 25, ISO 27001, financial sector)
- You have hired a dedicated privacy officer
A structured tool does not replace human judgment. It supports it by organizing information, tracking deadlines, and keeping a record of what has been done.
The goal: compliance you can demonstrate
Law 25 does not only ask you to do the right things. It asks you to be able to prove it. An incident registry, documentation of PIAs, tracking of access requests: these elements have real value only if you can present them clearly and credibly.
Observantia is designed for this reality: a tool that structures Law 25 obligations, tracks deadlines, and produces reports ready to share with management or the CAI.
This content is provided for informational purposes only and does not constitute legal advice. For questions specific to your situation, consult a qualified legal professional.