Our approach to a GDPR change programme is end-to-end: create awareness, mobilise teams, understand the current state of compliance, design and plan a programme of change, lead the change and finally maintain compliance.

Our approach is generic and can be whatever the context and complexity of processing activities. How complex each phase of our approach will however greatly vary.


A GDPR programme impacts how organisations’ people, processes and technology handle personal data. The principles of the GDPR need to pervade the organisation which is something that cannot be done with a standalone initiative. Consequently, the best way to start is to create awareness and support so that, from the outset, the senior leadership team commits to a programme of change.

During this phase, a deeper understanding of the company's personal data processing activities is built, enabling the tailoring and planning of the next phase, the assessment.


  • Raise awareness of the GDPR
  • Get support for a programme
  • Plan an assessment


  • Run awareness sessions with appropriate leadership team members to introduce the GDPR regulation and secure support
  • Understand the organisation’s context with regards to personal data processing activities (Products, IT, third parties, company organisational structure) in order to scope an assessment
  • Identify teams that will support the assessment and if assessment software tools are going to be beneficial
  • Considering the GDPR go-live date: identify the most urgent actions that need to be started now
  • Build a plan for an assessment
  • Secure funding and prioritise resources


In Assess an organisation reviews its current data processing activities, management and governance practices for data protection and rate them against the requirements of the GDPR. The goal is to find out where changes will be required.


  • Know the data you are processing: create an inventory of all data processing activities, a data map.
  • Understand the gaps between the current situation and what the is required by the GDPR


There are two main activities in an assessment:

The first one is to understand the details of the personal data processing activities, looking at the details and collecting a range of information about those activities: the « why, what, how, where, who, when » of data processing and for each of those activities if data subjects rights are already considered or not. This activity is called data mapping. It is best performed by those who have direct knowledge of the processing activities. A data map can be documented using spreadsheets or other document template however as the number of processing activities grows it really make sense to use commercial tools (usually SaaS based).

The second activity is to assess the organisation against GDPR requirements that are more related to management and governance than to individual processing activities. This part is done using standard questionnaires.


Assess identified the areas where changes are needed, Design takes this further by deciding what changes will be implemented and create a plan for the implementation of such changes. Consider an example: Assess identifies that there are no or little IT security practices in the organisation, in Design the organisation decides what are the appropriate changes required, for example implementing an ISO 27001 compliant ISMS and plan this change.


  • Decide what changes the organisation will implement
  • Have a roadmap for implementation
  • Understand the risks


  • Design changes based on the outcome of the assessment
  • Understand risks of not completing changes on time, set priorities
  • Build a roadmap of changes, including tactical and longer term measures


This is where changes are actually made. Multiple streams of work are likely to have been started and organisation's efforts are in ensuring that those changes are delivered whilst keeping an eye the development of GDPR guidances and code of conducts.


  • Ensure changes are implemented


  • Run the programme of change
  • Lookout for guidances and code of conducts, see how impact the programme
  • Monitor the development of the ePrivacy regulation
  • Transition to the business as usual phase, Evolve.