Your implementation project for compliance with the EU General Data Protection Regulation (GDPR) can be overwhelming and complex. With the exception of a few small organisations, most organisations struggle to identify the most important tasks, and to put maximum focus on completion of GDPR in time – on or before 25 May 2018.
So, let’s see what to focus on.
Why must you prioritise within a GDPR compliance project?
As GDPR is a recent topic, it is likely that your organisation has a significant number of potential gaps and related actions to close. And, unless you have unlimited capacity and budget, you need to prioritise closing the most important gaps, and in the right sequence.
See also: EU GDPR Readiness Assessment Tool.
It is a common fact that staff are more productive when they are clear on what is most important, and what will deliver maximum benefit. Identifying priorities allows your senior management to make choices, and allows the organisation to focus. This prioritisation allows staff to focus on, and work on, the right actions, as multiple other projects may be ongoing in parallel in your organisation.
Accountability is one of the core principles of GDPR. And, showing evidence that you have prioritised and chosen a well-thought-out approach is most likely to help you justify that your compliance journey was carefully mapped out, and that you have focused on certain aspects for a reason. This will be very handy if something goes wrong, or if you are audited by the Supervisory Authority.
Your biggest priorities
Typically, your biggest priorities shall include:
- Making an inventory of your processing activities, and asking for consent when required. This is essential, as it facilitates answering queries from data subjects and the Supervisory Authority.
- Implementing a mechanism to answer Data Subject Access Requests. This is necessary because data subjects will ask for this, and if you don’t have this ready, the Supervisory Authority is also likely to support the data subjects.
- Reviewing and updating third-party contracts that include data protection obligations related to the transfer of personal data for processing.
- Availability of Privacy Notices to data subjects. This is essential because it allows your organisation to demonstrate transparency and answer initial questions a data subject may have.
- Implementing a process to identify personal data breaches and ensure proper notifications. This is essential not only because there are significant fines associated with a data breach, but also because such a breach can have huge reputational risks.
- Awareness and training of your staff should not be underestimated, and must be included in your priorities, as it allows your staff to be aware of what they must do. Here, organisations that process personal data and have direct interaction with data subjects must ensure that staff are ready to capture and answer queries from data subjects.
- Designing and implementing a Data Protection Impact Assessment, so that new processing activities initiated based on new projects, campaigns, and products are assessed, and any associated risks treated.
In addition, there are lot of actions, like the assignment of a Data Protection Officer, Privacy by Design, etc., that cannot be ignored and must be completed in time. However, without the seven biggest priorities being completed, the rest may not go far in protecting personal data and being ready to face data subjects and the Supervisory Authority, when needed.
What are the key considerations when defining your priorities?
In my view, too many priorities or complicated approaches to prioritisation can make it difficult for people to remain focused. So, you should define clear considerations or criteria to set priorities. In GDPR, there can be three key criteria when prioritising:
- The key objective of GDPR is to put the citizens at the heart of data privacy. So, you as an organisation should do the same. This means that the first and foremost priority of your organisation should be to identify the data subjects in the scope of your organisation. For controllers, the data subjects are likely to be customers, employees, and personnel of suppliers. And, for processors, data subjects are likely to be employees and personnel of suppliers. See also: 8 Data subject rights according to GDPR.
- Almost all top managers in most organisations are fearful of GDPR fines. There is a fear that the Supervisory Authority will visit and fine them. And, this is a valid concern. You must assure your management. For this, you must ask yourself: “What would a Supervisory Authority ask us about if they were to visit?” The answer to this will typically include topics like the assignment of a Data Protection Officer, notification of personal data breaches, etc.
- GDPR introduces internal actions like the Data Protection Impact Assessment, maintenance of a registry, training of staff, etc. You should make a list of key actions in this regard and choose when you should complete these. See also: 5 phases of the EU GDPR Data Protection Impact Assessment.
Defining priorities within your GDPR implementation project is critical to ensure that the focus is on the right aspects, and to help your staff be aware of what they need to do. And, if you have not done this so far, make sure that you prepare a set of priorities in line with the above, and agree on those priority actions with the senior management of your organisation.
Download this free Project plan for EU GDPR Compliance and better define the priorities of the EU GDPR compliance project.