Many organisations still remain entirely unprepared. The legislation presents a range of compliance and operational challenges for businesses that require thorough planning and additional resources. As every organisation handles data differently, there is not a “one size fits all” GDPR project plan.
3gamma’s three step approach
Step 1: Raise Awareness – Inform the board and key stakeholders of how it will impact the business, highlight the significant fines for non-compliance, and that companies may be required to delete valuable data collected in breach of the GDPR. The board should assign an executive sponsor and establish a GDPR working group with the business function leads (HR, Marketing, Legal, Compliance, Sales…), gain their co-operation towards reaching GDPR compliance.
Step 2: Conduct a readiness assessment for your organisation – There are a number of factors that will determine the amount of work required. A few areas to consider are:
- Are you compliant with the existing data protection laws?
- How much personal data does your organisation process and for what purpose?
- Does any data fall into special categories? i.e. “sensitive personal data”
- Are you a data processor or a data controller?
- What policies and procedures do you already have in place?
- How well documented are your existing data processing practices?
- How straight forward are your data processing activities? For example, do you export personal data outside of the EU?
Step 3: Identify the next steps and areas requiring immediate attention – Your priorities will depend on the nature of your business and how you process personal data. For example, you should consider implementing “privacy by design” if you are developing a new product or service that processes personal data; or ensure that any third party data processors are GDPR compliant if the contracts extend beyond the 25th May 2018.