Over the next few months, I will be writing a blog series on methodically implementing the GDPR. This series consists of fourteen parts and is intended primarily for privacy professionals tasked with implementing the GDPR. In addition to the blog below, which deals with the implementation of the GDPR as a project, I will be discussing the respective thirteen main objectives of the GDPR to be achieved in subsequent blogs.
The need for a methodical approach in GDPR implementation
At a time when data protection and privacy are central issues, a methodical approach to General Data Protection Regulation (GDPR) compliance is critical. In this blog, we explore why it is so essential and how organisations can approach it methodically.
From "adhocracy" to structure
Today's challenges - from sudden questions about privacy notices, processor agreements to dealing with data breaches - require a more structured approach. The benefits of a methodical approach are clear: clarity on legislation, understanding of business processes, risk profiles and GDPR responsibilities, and as a result, an organised work environment.
A GDPR project in five steps
Step 1: Understanding the organisation and its structure
Before diving into the GDPR, we need to understand the organisation. This means exploring internal and external sources of information, from software applications and licenses to corporate strategies and privacy policies. By gathering all this data, we can create an organisational profile that helps identify the company's legal and functional organisational chart. This is essential to understanding who determines the "purposes and means" of data processing.
Step 2: Determining the GDPR context
Questions such as "What legislation applies?" or "What software applications are used for data processing?" are fundamental. This step also helps us determine which data processing operations are performed, the associated risk profile and the organisation's specific GDPR roles. Seeing where data is being processed geographically is also crucial, especially if it is outside the European Economic Area (EEA).
Step 3: Assessing the organisation's GDPR status
To create an effective GDPR implementation plan, we must first understand the current state of GDPR compliance. This can be done through a GAP analysis, in which we compare the desired situation to the current situation and identify the risks resulting from this gap.
Step 4: Prepare the 'GDPR Implementation Advice' report
Once we have a clear picture of the current situation, we can prepare a 'GDPR Implementation Advice' report. This plan should include advice on the prioritisation of activities at the main objectives level, an advice that should be based on the importance and order in which these 'urgent' activities should be addressed.
Step 5: Implementing the GDPR implementation advice
This step will be covered in detail in the next 13 blogs which, along with this first blog, comprise the curriculum of the DPO training course I teach. During the online sessions, the more extensive lecture notes will be supplemented by experiences from my own practice.
Concluding remarks
The implementation of the GDPR is not just a one-time task; it is an ongoing process of monitoring, adjustment and improvement. A methodical approach is therefore useful not only for initial implementation, but also for maintaining and updating GDPR practices over time.
A structured approach to the GDPR not only ensures compliance but also gives organizations peace of mind, knowing they have a solid foundation for protecting data and meeting legal requirements. Therefore, in a data-centric world, a methodical approach is not a luxury, but a necessity.
