Are you aware that the 11 chapters and 99 articles of the GDPR hide 57 mandatory privacy activities?
They do exist! The Regulation, however, lacks an ‘instruction’ explaining what these activities are and how they can best be implemented in order to achieve GDPR accountability.
In the coming months we intend to take you through the four-phased GDPR implementation process we have worked with during the past three years. Core to this process is that it embeds privacy activities into a management cycle.
In this blog series we will touch in more detail upon this implementation process, explain why we think a Plan-Do-Check-Act-based approach is important, and share the experiences gained using this process in our daily practice.
In the remainder of this blog we will address the need for a systematic, software-driven, and role-based implementation methodology.
One of the most common questions we have been hearing post May 2018 is:
“How can I implement the GDPR in such a manner that GDPR compliance becomes an integral part of my organisation’s business processes?”
This question makes a lot of sense. It touches upon the core of the GDPR challenge, which is how to systematically embed GDPR compliance into an organisation. This is indeed quite a challenge and overlooked in many GDPR projects. The latter may not come as a big surprise. Projects have completion dates. Embedding processes in day-to-day operations in our opinion requires a systematic, i.e. PDCA-based, implementation methodology.
Early in 2017 we started to develop such a PDCA-based implementation methodology in a ‘Software as a Service’ (SaaS) format. This approach, which since has become role-based, in our experience is best suited to address the complexities of the GDPR implementation process.
The roles identified are: ‘Inspector’, ‘Policy maker’, ‘Planner’ and ‘Controller’. In greenfield organisations, these roles are to be executed consecutively. In organisations already ‘GDPR compliant’ the roles can be used to audit and improve the actual GDPR compliance status.
- Inspector phase
The Inspector’s job is to acquire an initial understanding of the organisation prior to starting the process of embedding the GDPR. To this end the Inspector needs to properly identify the organisation in terms of who is who, the applicable laws & regulations, the processing activities and potential data protection risks.
- Policy maker phase
As Policy maker the main job is to create an internal data protection policy consisting of a privacy mission and rules of conduct. Together these constitute the collective compass needed to create the third policy component: an initial GDPR planning (PLAN) to be executed during the Planner phase.
- Planner phase
The Planner’s job is obvious. He creates a detailed GDPR planning (PLAN), allocates the execution to privacy team members (DO), but leaves the executive management thereof to the Controller.
- Controller phase:
The Controller’s job entails the monitoring of (CHECK), and advising on matters of implementation (ACT) during the realisation of the GDPR planning. Monitoring as in auditing the timely, complete and correct realisation of the allocated privacy activities.
In our next blog we will discuss in more detail how the Inspector role should be executed. We will especially cover the way in which the software and methodology help you to identify and collect the information needed to complete an online Record of processing activities.
The TPF team