Complying with the General Data Protection Regulation (GDPR)

What and how?

How to tackle your GDPR compliance project?

It’s a bit like eating an elephant, so you need to do it in small pieces. Here’s a glimpse of what a phased approach could look like. The working assumption is that the project is given the green light in January-March 2017.

Visit our other GDPR pages:

 
 

Milestone 1: Initiation

Brands news 320x213pix
Goal: Position the project, explain the rationale and secure internal support

Action items:

  • Create (C-level) awareness within your company
  • Set project boundaries, milestones, budget and tooling
  • Assign a project leader and select project team members

Deadline:

Before 15 April 2017

How Stibbe could assist:

  • Provide an outline of the key focus points of the GDPR
  • Conduct on-site awareness session(s) A
  • ssist in scoping the project in light of the company/group profile

Milestone 2: Analysis and assessment

Brands news 320x213pix
Goal: Identify the “as-is” and the “to-be” situations and conduct a gap analysis

Action items:

  • Review and obtain a clear understanding of the “as is”, particularly in terms of (i) all types of data processed, (ii) data lifecycle management strategies (e.g. storage, retention, anonymisation) (iii) use of third party processors, (iv) all data flows inside and outside the EU, iv) technical and organizational security measures taken, and (vi) all underlying contracts and policies
  • Determine the applicable GDPR requirements (e.g. the presence of high risk processing, sensitive data, the need for a DPO)

Deadline:

Before 15 June 2017

How Stibbe could assist:

  • Provide a due diligence toolkit
  • Conduct interviews with key users
  • Review the related documents
  • Prepare Privacy Impact Assessment (PIA) as required, including gap analysis
  • Assist in appointing and setting up the DPO or data protection role (if no formal DPO needed)

Milestone 3: Design your future state

Brands news 320x213pix
Goal: prepare a blue print for future GDPR compliance

Action items:

  • Reconcile the assessment findings with the relevant GDPR obligations
  • Design required process improvements, measures and steps required
  • Forecast the timeline and estimate the level of effort and amount of resources needed

Deadline:

Before 15 September 2017

How Stibbe could assist:

  • Prepare pre design notes and schemes setting forth the new architecture
  • Prepare the blueprint
  • Suggest improvement measures (e.g. the pseudonymization)

Milestone 4: Development (in agile modus)

Brands news 320x213pix
Goal: Transform the blueprint into compliant products, services, and processes

Action items:

  • Make sure to embrace privacy by design/by default requirements
  • Implement procedures to meet new/enhanced data subject rights
  • Adjust/draft appropriate contracts, notices and policies
  • Incorporate approved codes of conduct and/or earn certification

Deadline:

Before 15 December 2017

How Stibbe could assist:

  • Provide guidance on implementation of processes (e.g. obtaining consent, data portability, right to be forgotten…)
  • Identify best practices
  • Drafting of the required documents (e.g. information notices towards data subjects and data breach notification form)
  • Work in various iterations, seeking interim validation from key users
  • Liaise with the supervisory authorities and/or the certification bodies, as the case may be

Milestone 5: Implementation

Brands news 320x213pix
Goal: Launch the new processes, policies and tooling

Action items:

  • Present the new processes, policies, documents and contracts
  • Familiarize the key users with the new tooling
  • Introduce training materials and train users

Deadline:

15 March 2018 (allowing 2 months to do bug fixing)

How Stibbe could assist:

  • Presentation of new state to C-Level
  • Conduct key user training sessions
  • Prepare manuals and detailed documentation
  • Conduct Q&A

Milestone 6: Run/maintenance mode

Brands news 320x213pix
Goal: maintain compliance, ensure regulatory, corrective and evolutive maintenance

Action items:

  • Conduct regular reviews (e.g.: the evolving “state-of-the-art” requirement for data security)
  • Capture further guidance coming from the regulators (from the European Data Protection Board, which replaces the Art29 Working Party, and others)
  • Monitor training of new users

Period of time:

as from May 2018

How Stibbe could assist:

  • Provide briefing notes on new regulatory guidance or legal developments
  • Set up a helpline
  • Provide on-site support if needed
  • Keep contracts, policies and notices updated
  • Conduct regular updates with DPO or data protection contact on FAQs and overall state of GDPR compliance

Our website uses cookies: third party analytics cookies to best adapt our website to your needs & cookies to enable social media functionalities. For more information on the use of cookies, please check our Privacy and Cookie Policy. Please note that you can change your cookie opt-ins at any time via your browser settings.

Privacy and Cookie Policy