- Organizations often tackle compliance efforts in an ad hoc manner, resulting in an ineffective use of resources.
- The alignment of business objectives, information security, and data privacy is new for many organizations, and it can seem overwhelming.
- GDPR is an EU regulation that has global implications; it likely applies to your organization more than you think.
Our Advice
Critical Insight
- Financial impact isn’t simply fines. A data controller fined for GDPR non-compliance may sue its data processor for damage.
- Even day-to-day activities may be considered processing. Screen-sharing from a remote location is considered processing if the data shown onscreen contains personal data!
- This is not simply an IT problem. Organizations that address GDPR in a siloed approach will not be as successful as organizations that take a cross-functional approach.
Impact and Result
- Follow a robust methodology that applies to any organization and aligns operational and situational GDPR scope. Info-Tech's framework allows organizations to tackle GDPR compliance in a right-sized, methodical approach.
- Adhere to a core, complex GDPR requirement through the use of our documentation templates.
- Understand how the risk of non-compliance is aligned to both your organization’s functions and data scope.
- This blueprint will guide you through projects and steps that will result in quick wins for near-term compliance.
Fast Track Your GDPR Compliance Efforts Research & Tools
Start here – read the Executive Brief
Read our concise Executive Brief to find out why you should fast track your GDPR compliance efforts, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.Besides the small introduction, subscribers and consulting clients within this management domain have access to:
- Fast Track Your GDPR Compliance Efforts – Phases 1-5
1. Understand your compliance requirements
Understand the breadth of the regulation’s requirements and document roles and responsibilities.
- Fast Track Your GDPR Compliance Efforts – Phase 1: Understand Your Compliance Requirements
- GDPR RACI Chart
2. Define your GDPR scope
Define your GDPR scope and prioritize initiatives based on risk.
- Fast Track Your GDPR Compliance Efforts – Phase 2: Define Your GDPR Scope
- GDPR Initiative Prioritization Tool
3. Satisfy documentation requirements
Understand the requirements for a record of processing and determine who will own it.
- Fast Track Your GDPR Compliance Efforts – Phase 3: Satisfy Documentation Requirements
- Record of Processing Template
- Legitimate Interest Assessment Template
- Data Protection Impact Assessment Tool
- A Guide to Data Subject Access Requests
4. Align your data breach requirements and security program
Document your DPO decision and align security strategy to data privacy.
- Fast Track Your GDPR Compliance Efforts – Phase 4: Align Your Data Breach Requirements & Security Program
5. Prioritize your GDPR initiatives
Prioritize any initiatives driven out of Phases 1-4 and begin developing policies that help in the documentation effort.
- Fast Track Your GDPR Compliance Efforts – Phase 5: Prioritize Your GDPR Initiatives
- Data Protection Policy
Workshop: Fast Track Your GDPR Compliance Efforts
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
1 Understand Your Compliance Requirements
The Purpose
Kick-off the workshop; understand and define GDPR as it exists in your organizational context.
Key Benefits Achieved
Prioritize your business units based on GDPR risk.
Assign roles and responsibilities.
Activities
1.1 Kick-off and introductions.
1.2 High-level overview of weekly activities and outcomes.
1.3 Identify and define GDPR initiative within your organization’s context.
1.4 Determine what actions have been done to prepare; how have regulations been handled in the past?
1.5 Identify key business units for GDPR committee.
1.6 Document business units and functions that are within scope.
1.7 Prioritize business units based on GDPR.
1.8 Formalize stakeholder support.
Outputs
Prioritized business units based on GDPR risk
GDPR Compliance RACI Chart
2 Define Your GDPR Scope
The Purpose
Know the rationale behind a record of processing.
Key Benefits Achieved
Determine who will own the record of processing.
Activities
2.1 Understand the necessity for a record of processing.
2.2 Determine for each prioritized business unit: are you a controller or processor?
2.3 Develop a record of processing for most-critical business units.
2.4 Perform legitimate interest assessments.
2.5 Document an iterative process for creating a record of processing.
Outputs
Initial record of processing: 1-2 activities
Initial legitimate interest assessment: 1-2 activities
Determination of who will own the record of processing
3 Satisfy Documentation Requirements and Align With Your Data Breach Requirements and Security Program
The Purpose
Review existing security controls and highlight potential requirements.
Key Benefits Achieved
Ensure the initiatives you’ll be working on align with existing controls and future goals.
Activities
3.1 Determine the appetite to align the GDPR project to data classification and data discovery.
3.2 Discuss the benefits of data discovery and classification.
3.3 Review existing incident response plans and highlight gaps.
3.4 Review existing security controls and highlight potential requirements.
3.5 Review all initiatives highlighted during days 1-3.
Outputs
Highlighted gaps in current incident response and security program controls
Documented all future initiatives
4 Prioritize GDPR Initiatives
The Purpose
Review project plan and initiatives and prioritize.
Key Benefits Achieved
Finalize outputs of the workshop, with a strong understanding of next steps.
Activities
4.1 Analyze the necessity for a data protection officer and document decision.
4.2 Review project plan and initiatives.
4.3 Prioritize all current initiatives based on regulatory compliance, cost, and ease to implement.
4.4 Develop a data protection policy.
4.5 Finalize key deliverables created during the workshop.
4.6 Present the GDPR project to key stakeholders.
4.7 Workshop executive presentation and debrief.
Outputs
GDPR framework and prioritized initiatives
Data Protection Policy
List of key tools
Communication plans
Workshop summary documentation