Now that you have identified the following in your GDPR project:

• Step 1: Setting your plan, and
• Step 2: Understand where you are

… let’s move into the third step.

Understanding what needs to be done.

At this point, you have completed the mapping and covered the right areas at the right level of detail. Chances are good that you have found some obvious challenges.

Some of these examples might seem familiar. Perhaps you:

• are unsure of exactly why you collect certain data,
• communicate with your customers in a way that does not match reality,
• do not have all the necessary agreements in place with data processors,
• keep personal data even though you don’t need it (perhaps it is not even technically possible to delete the data!)

If you process personal data – which you do – then you will find challenges.

Once you have found your gaps, you can decide on actions, prioritise them and plan the next steps.

Greatest risks should be handled first, but it is important to understand all the various impacts. For instance, if you need to fundamentally rebuild your technical infrastructure to make possible for data subjects to exercise their rights, you might need to prioritize this work.

But also, updating your privacy notice to describe how data is used in a more transparent manner is important. Both for compliance reasons and to proactively manage your brand and reputation.

Make sure to document the reasoning behind your priorities.

A risk-based approach and well thought through plan for your actions is a good way to demonstrate accountability relative to supervisory authorities.

Remember: The best defense in case of a compliance breach is if you can say “Yes we knew about it, and we have an appropriate plan for how to remediate.”

You will still have breached the rules, but it will show that you are moving in the right direction.

Note that in the process of mapping your data, and assessing that in relation to the GDPR, you need legal expertise involved. It is not always easy to determine what constitutes personal data. Or to know if a purpose is legitimate or not, if a consent is valid or not, or who the data controller or data processor is.

Note that you will also need information security expertise to assess if you have appropriate security measures in place for your GDPR project, or what new ones should be applied.

We will look at this further in step 4 (coming soon).