We talk to all types of businesses on a daily basis on how you best get started with, and managing your GDPR project. So we put together a short guide on how businesses can approach their compliance work.
The steps will vary depending on your business and organisation, but this format is one we have seen work well for many different types of companies, and applied by leading privacy professionals around Europe.
So, if you have no idea where to start? Start right here.
This article contains the first steps we suggest you and your organisation take when approaching the GDPR work.
This is part 1 of a 5-part series (you can download the full guide here). Let’s jump in.
A) Ask Yourself Why
In some businesses, just uttering the word “compliance” can bring about immediate action. In most organisations however, it might not be that simple. A project of this scale is probably considered both resource- and time-consuming, and for good reason.
So, in order to focus on the right things and get the most out of your GDPR project, it is important that your organisation aligns with the why behind the work.
Begin with the important questions:
- Why should we strive for compliance?
- Why is respect for personal integrity important?
- How can data breaches and incidents affect our brand and business?
B) Assign Responsibility for the Project
GDPR compliance is not a one-man job. You need to form a project group with enough people and expertise to understand all parts of the organisation, e.g. law, technology and the business.
But you also need a project manager. This person does not necessarily have to be your Data Protection Officer – if you need or want a person with that title. The most important part is that it is a person with great project management skills.
C) Identify Stakeholders
Data protection affects most parts of your organisation, and you will need to talk to people at all levels. To understand how the organisation processes personal data and why, you need representatives involved from e.g. sales, marketing, HR and tech.
Ensuring proper buy-in and attention from the organisation is essential to succeed with the project. But if you do not secure this buy-in from top management first, you cannot even begin this work. Top management needs to be fully informed of GDPR, the risks and the opportunities involved, and what is to be done.
As mentioned above, a Data Protection Officer is not a requirement for every business. In most cases however, regardless of regulatory requirements, it is a sound idea to assign overall responsibility for compliance management to someone.
D) Set a Budget
Ensuring GDPR compliance is not a short one-off project, it is an adjustment to a new way of managing your business. Going through existing processes, involving stakeholders and planning the work will take time and require resources.
A success factor in moving forward with the work will be having a budget. Make sure to set your budget, and prioritise activities based on that.
E) Decide on Resources and Tools
Many companies do not have the resources necessary to manage GDPR compliance in-house. If you are not blessed with data protection experts in-house, you should find appropriate advisors as soon as possible.
Legal and information security experts should be involved early in the process. If you involve them too late in the assessment process, for instance just to double-check your work, risks are high you will have to start over.
In addition to determining expertise and project management resources, you should evaluate and decide early on what software solutions to use to manage your work. The sooner you decide, the easier your work will be.
There is no technical solution that solves every one thing. In the end, you might need several different management and security tools, depending on your business and data processing. Find a data protection management software that helps you with the first important steps of your project, and which enables you to establish an efficient process for the long-term.