1: Senior management must provide support

Senior-management support is critical for buy-in, implementing what needs to be done and ensuring the appropriate budget and resources are allocated to the GDPR project, consider:

  • What resources and budget you will need?
  • How you are going to divide up your programme, e.g. by themes?
  • Who will own actions and how they will be tracked?
  • How and when to update and leverage senior management?


2: A clear project management plan

Implementing the GDPR cannot simply be the work of the compliance or privacy officer but rather must be a full, cross-business project plan with a cross-functional task force within the organisation to get all elements of the GDPR readiness in place – legal, compliance, business units, IT, risk management. They all need to be at the table.


3: Know your organisation’s data

Know what data you have and where it is, ask yourself:

  • Who are your data subjects?
  • Do you process sensitive personal data?
  • Do you collect data about children?
  • What grounds do you currently rely on to process personal data?
  • Do you make automated decisions?
  • Do you profile individuals?
  • Do you send data outside the EEA?
  • Do you have a breach notification process already?
  • Do you have a DPO already?


4: Adopt a risk-based approach

Understand what risks you are willing to accept and which data assets are critical to compliance and therefore must to be prioritised. Your GDPR taskforce should continuously examine issues and processes such as legal issues, cybersecurity, application development, third party contracts and electronic marketing processes.

When looking at risk for your organisation, look at the tangible harms to individuals that your organisation needs to safeguard against. These are usefully detailed in Recital 75 of the GDPR and include processing that could give rise to:

  • discrimination
  • identity theft or fraud
  • financial loss
  • damage to reputation
  • loss of confidentiality of personal data protected by professional secrecy
  • unauthorised reversal of pseudonymisation
  • any other significant economic or social disadvantage.


5: Find the gaps in your data processes

A gap analysis should highlight processes you need to modify before the GDPR, e.g. how you collect consent and if you need to initiate a new consent moment that meets the GDPR standard.

The gap analysis should identify if you have legacy datasets you didn’t know you had, which could be deleted where no purpose for keeping them can be identified.