The GDPR Plan:
Even though the implementation deadline for the EU’s General Data Protection Regulation (GDPR) is fast approaching (25 May 2018,) there are still many companies of all sizes who are not ready for it.
As a consultant working in the area of project management, I approach almost everything as a project and recommend to my clients they do the same. The advantage of taking this approach is that it can take something seemingly insurmountable and decompose it into more manageable pieces. So, even with the looming deadline, start with a project charter, such as the following example, which includes, among other things:
- Statement of Work: Prepare the policies and procedures needed to abide by the GDPR…
- Target Schedule: by 25 May 2018
- Target Budget: 200 staff hours or 20.000 €
- Business Case: legal requirement for anyone working within the EU and/or managing data of EU residents….
- Other relevant information…
The project charter documents the amount of effort, time and cost required to get the job done, which helps stakeholders better understand what is involved and how they can best approach the actual project work.
The Project Work (The How)
Whether you are trying to meet the 25 May deadline or finish as close to that date as possible, you need to create a PM Plan to get the work done. It does not need to be anything more than a continuation of the project charter, but with the following additional items:
- Scope: add deliverables, such as the policies, procedures, etc.
- Quality: as needed
- Resources: staff, programs, materials (regulations, research, etc.)
- Communication: meetings with key stakeholders throughout the process
- Risks: such as missing the 25 May deadline (threat,) demonstrate compliance with clients (opportunity,) etc.
- Procurement: outsourcing to consultants, purchase materials, etc.
- Stakeholder Management: current and potential new clients, regulators, etc.
Keep in mind that I am not suggesting preparing an extensive PM Plan; just enough of a plan to make sure the key items are covered such as in the list above.
Deliverables (The What)
With the help of the WBS developed within scope and requirements management, we can sort out the deliverables needed to comply with the GDPR, such as:
- Procedures and policies incorporated into your company’s “GDPR Compliance Manual,” including:
- The Information Security Management System (per ISO 27000)
- Policies for consent
- Reporting breaches to the Supervisory Authority (SA)
- Training Manual
- Audit Plan and Schedule
- Reporting breaches to data subjects, the SA, etc.
- Contracts for data collectors and processors
- Requirements Collection
- Date request intake forms
- Consent forms
- Language versions of your policies (English, Spanish, German, Mandarin, etc.)
- Other deliverables
These deliverables represent the guidelines needed to address the GDPR, as well as the documentation needed for internal audits, as well as for demonstrating compliance should there be a breach and the SA and/or legal and judicial agencies conduct their own audits.
By following this PMI Framework in managing projects, you will be able to ensure that the facets of the GDPR are covered and that you performed due diligence in addressing this new regulation. Both of these tasks are crucial should you have to go to the SA some day. You will be glad you did!
Jorge Romero-Lozano, Dipl. Ing, LEED AP, PMP is a consultant working worldwide in the fields of project and program management for diverse industries, including data security, risk management, change and configuration management, and strategy planning.