The latest EU GDPR (General Data Protection Regulation) is due to be implemented starting May 25th, 2018. It is among the most significant security initiatives to be developed in the last couple of years and has several implications for private as well as public sectors in the continent.
The EU GDPR has various requirements with regards to the ways in which businesses should handle the processing and protection of personal information. Further, these requirements demand creative cooperation between the different divisions in a company such as the management, IT and legal.
Top management in all private and public companies will need to ensure that all key personnel and decision makers in the organization are aware about the changes in law related to GDPR. It will help them understand and appreciate the positive impact that the regulation is predicted to have on business operations. Here are seven crucial steps for management the GDPR regulation as part of project planning:
1. Mapping information
This phase requires the relevant personnel in all major departments (IT, marketing, HR etc.) to work with customized data questionnaires which are prepared for establishing the primary data flows in an organization. These questionnaires help identify the key activities that involve the processing of personal data.
2. Gap assessment
After the first phase of identification, the results are analyzed with the help of a comparison with the EU GDPR requirements. This helps identify the gaps which the organized needs to look into when attempting to comply with the new regulation.
3. Privacy impact analysis
This is just a simple analysis of the protection level of a registered party. The objective of such an analysis is to manage all the risks and/or prevent the occurrence of a worst-case scenario.
This is typically the most challenging phase and requires an organization’s project management team to ensure that all key activities meet the GDPR requirements prior to May 2018. The steps for implementation will be different for each organization depending on its flow of data and the existing state of the information safety compliance program. Yet, all organizations will most likely need to implement at least a few important implementation steps such as the identification of key DPA or Data Protection Authority, most relevant to the business basis it primary location of operation in the European Union.
5. Planning for contingency
There might be cases in which sensitive data is leaked. The latest EU GDPR carries updated requirements for all public and private companies to inform necessary authorities in the event of a data leak. This may include the disclosure of information such as the type of information that was leaked, the number of registered parties involve in the leak and so on.
6. Continued management
It is crucial for organizations to review the existing privacy notices while also formulating a plan to make any required changes before the GDPR implementation is due.
Project management will need to ensure that each staff member knows their responsibilities with the impending implementation of the new GDPR.