Our approach to a GDPR change programme is end-to-end: create awareness, mobilise teams, understand the current state of compliance, design and plan a programme of change, lead the change and finally maintain compliance.
Our approach is generic and can be whatever the context and complexity of processing activities. How complex each phase of our approach will however greatly vary.
A GDPR programme impacts how organisations’ people, processes and technology handle personal data. The principles of the GDPR need to pervade the organisation which is something that cannot be done with a standalone initiative. Consequently, the best way to start is to create awareness and support so that, from the outset, the senior leadership team commits to a programme of change.
During this phase, a deeper understanding of the company's personal data processing activities is built, enabling the tailoring and planning of the next phase, the assessment.
In Assess an organisation reviews its current data processing activities, management and governance practices for data protection and rate them against the requirements of the GDPR. The goal is to find out where changes will be required.
There are two main activities in an assessment:
The first one is to understand the details of the personal data processing activities, looking at the details and collecting a range of information about those activities: the « why, what, how, where, who, when » of data processing and for each of those activities if data subjects rights are already considered or not. This activity is called data mapping. It is best performed by those who have direct knowledge of the processing activities. A data map can be documented using spreadsheets or other document template however as the number of processing activities grows it really make sense to use commercial tools (usually SaaS based).
The second activity is to assess the organisation against GDPR requirements that are more related to management and governance than to individual processing activities. This part is done using standard questionnaires.
Assess identified the areas where changes are needed, Design takes this further by deciding what changes will be implemented and create a plan for the implementation of such changes. Consider an example: Assess identifies that there are no or little IT security practices in the organisation, in Design the organisation decides what are the appropriate changes required, for example implementing an ISO 27001 compliant ISMS and plan this change.
This is where changes are actually made. Multiple streams of work are likely to have been started and organisation's efforts are in ensuring that those changes are delivered whilst keeping an eye the development of GDPR guidances and code of conducts.