Read this guide if you're starting a new data protection management project or want to reassess your company's compliance. If you're looking to implement ongoing data protection management as part of your business operations, head over to our guide on how to manage ongoing data protection compliance.
Data protection compliance affects every department in the company, and so like any other activity that can affect the whole company, it's important to approach this the right way to ensure you:
• have stakeholder buy-in,
• align expectations,
• manage timelines and deliverables,
• manage and prioritise risks, and
• you know where you're heading.
Therefore, it is essential to have a solid project plan when starting a new data protection compliance project. Here is our practical 6-step guide to help you manage and plan out your data protection compliance project.
Assess the scope of your project. Ask yourself which regulations and frameworks need to be covered. Are you assessing compliance for all business units, subsidiaries, and geographies? Is there pressure from the top to meet a certain deadline? What is your budget, and do you have the necessary funds?
At this stage it also makes sense to ensure there is at least one representative of every department to support the delivery of the project as well as to define responsibilities on who manages the project (usually the DPO), who reviews work and who signs everything off.
Deciding early on the tools you want to use to manage your compliance project saves you time later down the line as you're handling lots of different tasks, documents, processes, and stakeholders. It also helps you as part of your scoping exercise to decide on budget and avoid unwanted costs.
Depending on the size of your operations, at a minimum we recommend having a solution for:
• Workflow management: Create and assign tasks, manage timeline, priorities, check progress, etc.
• Tools that help with data protection management, such as: data mapping, document management, vendor management, subject rights management and consent management.
To increase team productivity consider using tools or methods your colleagues are already used to using. E.g. you could choose tools like Asana, Monday.com, ClickUp and Trello to manage workflows and privacy tech software to manage aspects of data protection. If you prefer to have everything collaborative on one platform, you can work with solutions like Palqee.
In any case, being clear what tool is being used for what part of your project execution will help you increase efficiency and keep the overview.
This is usually the first step for most data protection management projects. The Gap Analysis and Data Mapping exercise really can be compared to the discovery phase in other projects.
Discovery describes the project phase where the status quo is being assessed and the project team gets an in-depth understanding of what is required. Only after the discovery phase you can make a realistic plan on timeline and key priorities. Which brings us to the next item.
Prioritise tasks, assign responsibilities and track progress.
Free 14-day TrialThe Gap Analysis will tell you which aspects of your company's data protection requirements have been implemented, partially implemented, or not implemented at all and the Data Map will give you insights about all data processing activities and whether each has been properly assessed based on the legal basis for processing, data controller vs. processor responsibilities, data sharing, data retention and more. With those two results from your discovery phase, create a list of tasks in your workflow management tool. Then decide on the priority of each task according to how much risk they pose to the business.
TIP: Organise your tasks in “categories” so you can keep track of which task covers which aspect of your compliance project.
Here our suggested list categories and related tasks/activities:
A) Data Mapping/ ROPA
B) Policies and Procedures
C) Vendor Management
D) Consent Management (usually done after the legal basis has been established)
E) Subject Rights Management
F) Data Retention and Destruction
G) Data Security
H) Team Training
Once the tasks are created, prioritised, and organised by categories they can be assigned to the Project Manager him-/herself or the representatives and stakeholders that have been defined in Step 1. Make sure to agree on deadlines. Creating a sense of urgency will increase participation from others.
If you use a tool like Palqee, you can link your tasks to activities such as your vendor assessments, policies and more. If not, make sure you add as much detail as possible to the task so anyone working on the task knows what is required. Consider doing a project kick-off with everyone to align on the tasks and clear any questions or concerns.
Once tasks have been completed, make sure everything is reviewed and properly signed-off by the relevant stakeholders.
TIP: Keep the proof of sign-off and date on file in case a business client or the authorities want to know when you last assessed and updated certain aspects of your compliance program. It also helps you to keep track of your activities and when it's time to renew your data map.
The guide above is helpful when you assess and implement your initial compliance framework. However, the trickier bit usually starts after that, and that is how you ensure the company maintains the same level of compliance. Businesses grow and change, which means they choose to work with new vendors, establish new offices and implement new ways of understanding their customers better. Data protection needs to be managed on an ongoing basis and so it needs to be implemented into a company's business operations.
Read our guide with practical tips on how you can implement ongoing data protection management into your business operations.
The #1 platform to operationalise GRC, Privacy and Data Governance.
Free 14-day Trial