GDPR Project Plan
GDPR Project Plan for Compliance
Businesses need a GDPR project plan for compliance as the complexities and scope of the regulation can seem overwhelming. It’s now quite clear that an untold number of controllers and processors throughout the European Union, North America, and other regions throughout the globe, will be affected by the GDPR. Becoming compliant can be an incredibly challenging endeavor, and its why FLANK has provided a six-step approach for becoming GDPR compliant.
Step I GDPR Project Plan – Readiness & Gap Assessment
The GDPR is a massive piece of legislation that can seem overwhelming indeed. Because of this, a core element of FLANK’s GDPR’s readiness activities consist of the following:
Understanding scope for one’s GDPR compliance requirements ultimately means learning about organizational processes in relation to the types of data being stored, processed via automated means, and or transmitted, what third-parties – if any – are involved, physical locations, company personnel, etc. Additionally, because many EU and U.S. controllers and processors may possibly consult with internal and/or external legal counsel, determining what roles such counsel will play, and how they envision working with FLANK throughout the entire GDPR lifecycle, is thus a critical element of assessing scope.
Assessing Operational Controls
A large part of the GDPR requirements mandate that organization perform various functions as described within the various GDPR articles. Are you safeguarding data as required? Do you have in place necessary processes and procedures for executing any number of data rights for EU data subjects? What provisions are in place for ensuring consent is obtained? Just a few of the dozens of questions we’ll be asking for assessing one’s operational controls. In terms of scope for “operational” controls, this means having personnel involved from all sectors of the organization – Legal, H.R. Privacy, and more
Assessing Information Security Controls
One could argue that one of the most significant intents of the GDPR is ensuring that organizations have comprehensive InfoSec processes and procedures in place. After all, you can’t secure personal data without adequate InfoSec controls, and you can’t have adequate InfoSec controls unless you’ve adopted a prescribed InfoSec framework – it all ties together. FLANK’s GDPR readiness & gap assessment activities will dig deep into your InfoSec controls, determining what’s working and what’s not, then develop a battle plan for full compliance.
A large part of the GDPR documentation requirements fall under three critical areas: (1). Operational. (2). Information Security. (2). Legal/Privacy:
(1). As for “operational” documents, these relate primarily to internal organizational processes and procedures relating to many of the requirements within the GDPR. More specifically, what documentation is in place regarding the actual operational steps to take for implementing the stated policies?
(2). As for, “information security” documents, this is specifically related to the InfoSec framework for which organizations should be implementing as part of compliance with Article 32 and many other related Articles. The vast majority of EU companies will undoubtedly map their information security policies, procedures, and processes to ISO 27000 (particularly, ISO 27001 and ISO 27002), while North American companies will likely utilize the NIST framework (particularly the NIST Cybersecurity framework, NIST SP 800-53, and others).
(3). As for “legal” and “privacy” documents, these relate primarily to consent forms, rights of data subjects, and how controllers and processors perform these initiatives internally.
FLANK offers a world-class ISO 27001/27002: 2013 All-in-One Toolkit – and dozens of other GDPR policies and procedures – all available for instant download today at flank.org. Additionally, learn more about the mapping between ISO and GDPR by downloading the GDPR mapping to ISO 27001/27002 matrix.
The Importanece of Documentation for the GDPR
Do you have all the required policies and procedures, supporting documentation, and other relevant material in place for GDPR compliance? If you answered no, then you’re not alone and can therefore join the untold numbers of controllers and processors who lack adequate documents for various privacy, legal, operational, and information security requirements for the GDPR. Is there a solution for such a tedious and demanding task? There is, it all depends on the amount of time and money you’re willing to spend. You can hire an army of lawyers, privacy experts, H.R. personnel and information security professionals, and they’ll without question deliver the documents you need, but also at a price tag that may shock you.
Unfortunately, very few firms have all the necessary documentation for meeting all the requirements for the GDPR, but FLANK can assist. We specialize in GDPR documentation creation, for all Articles within the regulation. Furthermore, we’ve developed a world-class GDPR policy templates & toolkits that can be used for many areas within the GDPR regulation. View the GDPR mapping to ISO 27701/27002 matrix today, along with the ISO 27001/27002 policy toolkit.
Whatever route you decide to embark on, you’ll still need to conduct an extensive documentation assessment for GDPR compliance. This requires developing a matrix and mapping all of your existing documents to the requirements within the GDPR. You’ll thus be able to quickly identify gaps and missing policies that will require immediate attention.
Step II GDPR Project Plan – Collaboration with Third-Parties
Due to the comprehensive nature of the GDPR, we occasionally find ourselves working in collaboration with other professional services firms, or at the very least, an organization’s internal and/or external legal counsel. That’s perfectly acceptable, understandable, and also makes for an efficient process for helping businesses become GDPR compliant as different areas of expertise are often needed. For engagement of this type, it can often be a multi-faceted team consisting of attorneys, technology consultants, auditors, managed security services providers, and others, or it can just be FLANK.
Step III GDPR Project Plan – Operational Control and Documentation Remediation Activities
Because of the large scope placed on businesses by the GDPR regulations, it’s common to have a significant number of operational remediation activities to perform. Perhaps your processes for safeguarding data need to be strengthened, your privacy notices need to be updated, or data needs to be more clearly identified and inventoried in a more formal manner.
Changing organizational culture to align with growing regulatory compliance requirements can be incredibly demanding, and time-consuming, but with heavy fines looming for failure to comply with the GDPR, what options do you really have? How controllers and processors conduct business in terms of operational style often dictates the amount of remediation necessary. The days of performing organizational activities informally – void of any structure that provides little to no trails for accountability – are long gone.
For example, you may have a quick-and-easy process for permanently removing a data subject’s personal data from your information systems, but is it documented with a well-written policy, does it have a structured process that ensures data is completely removed, and is a help desk ticket/change request ticket opened for documenting all activities throughout the entire lifecycle? Just a small example of the many operational challenges that controllers and processors will be facing with the GDPR requirements.
While the vast majority of organizations are without question highly competent in terms of business acumen, their lack of operational formality and documentation is now creating large and looming challenges with the GDPR. FLANK can help!
Let’s not also forget about the accompanying operational policies and procedures that need to be in place, and FLANK can help develop them with by offering prescriptive GDPR templates designed to save controllers and processors both time and money.
Examples include the following:
- Data Retention Policies and Procedures
- Data Privacy Impact Assessment Program
- Third-Party Due-Diligence and Vendor Management Program
That’s just a small sample of the world-class documentation available for download today from FLANK, your GDPR project plan compliance professionals for both U.S. and EU controllers and processors.
Step IV GDPR Project Plan – Information Security Control and Documentation Remediation
Article 32 of the GDPR speaks volumes about the importance of information security, and while the GDPR does not require adoption of a specific InfoSec framework, it does provide guidance on the importance of such security measures. FLANK can help controllers and processors in remediating information security controls, and the necessary supporting documentation, for ensuring GDPR compliance. Our data bank of documents is simply unprecedented, providing world-class ISO 27001/27002, NIST SP 800, and additional stand-alone information security policy templates and toolkits – all available for download at flank.org. Simply purchase and customize them yourself or hire FLANK to author your documentation today.
Benefits received from our Step IV GDPR Project Plan include the following:
- Development of comprehensive information security policies and procedures for the GDPR.
- Validation of security controls (processes and procedures) in according with InfoSec best practices and Article 32 GDPR requirements.
- The adoption of world-class information security documentation in accordance with industry leading frameworks.
- Adoption of a true InfoSec compliance culture complete with awareness and accountability for all participants.
Step V GDPR Project Plan – Legal Requirements and Documentation Remediation Activities
Many of the “legal” requirements within the GDPR for controllers and processors contain provisions relating to various rights of data subjects and obligations to such data subjects. In fact, many would argue that the GDPR itself is actually a large legal mantra filled with dozens of requirements – which it no doubt is – yet with a strong focus on the right to portability, right to erasure, various privacy rights and more – all of which are legal requirements with massive repercussions for non-compliance.
Benefits received from our Step V GDPR Project Plan include the following; Development of all controls and related documentation for ensuring personal data is processed lawfully, fairly and in a transparent manner in relation to the data subject.
Step VI GDPR Project Plan – Validation of Control Compliance
Because of the massive efforts put forth by controllers and processors for meeting the GDPR compliance requirements, it’s highly recommended that a validation process – a “dry run” – be performed for ensuring full-coverage is in place. Documentation needs to be assessed for its accuracy and completeness, while internal controls should be audited against the prescribed GDPR “Articles”, and more. While there is no specific requirement to have an actual GDPR report or assessment performed (at least not yet!), such measures would be beneficial in term of ongoing business development and validation of controls functioning properly. GDPR certification is coming, so validating one’s policies, procedures, and processes is imperative.
Step VII GDPR Project Plan – Continuous Compliance
It’s been often stated that GDPR compliance is a marathon, not a sprint, a process that takes both time and patience, and a true willingness to comply with what’s become a challenging mandate for many businesses. Adding to such challenges is ensuring that GDPR compliance is maintained on an ongoing basis, not just a point in time. Controllers and processers will be quick to cheer when initial compliance is met, but that’s only the beginning as continuous compliance is where the real battle begins with one’s GDPR project plan.
What is continuous compliance? The efforts undertaken by controllers and processors for ensuring all necessary controls (i.e., policies, procedures, and processes) are continuously monitored and enforced as necessary. It’s a relatively straightforward process – that’s not the issue – rather, finding competent personnel to enforce and monitor an organization’s internal controls is often the challenge. FLANK’s solution for GDPR continuous compliance is efficient and scalable, offering the following for various industries.
- Simple, straightforward, with easy-to-use checklists for monitoring one’s control environment.
- Deep-dive with rich reporting capabilities.
- A hybrid approach that includes a healthy mix of your internal staff combined with our highly-seasoned GDPR compliance professionals.
Download GDPR Checklist
A great place to start with one’s GDPR project plan initiatives is downloading FLANK’s world-class GDPR checklist. Available for instant download, the MS Word document is easy to edit and customize and includes coverage of all GDPR Articles. It’s hard to imagine kicking off a GDPR project plan without such a checklist, so download it today.
Download Data Protection Impact Assessment (DPIA) Template
A large number of controllers and processors will find themselves having to perform a GDPR Data Protection Impact Assessment (DPIA). With only little guidance provided within the actual GDPR, it’s no wonder by there’s general confusion as to what a DPIA should be. FLANK has developed the world’s first GDPR Data Protection Impact Assessment (DPIA) template, and it’s available for instant download.
Download GDPR Policy Templates & Toolkit Today
No GDPR project plan would be considered complete without an assessment done regarding policies and procedures. The GDPR requires heavy documentation, and FLANK delivers by offering world-class GDPR policy templates and toolkits for instant download. No need to author your own GDPR policies, that’s on us, so learn more today at flank.org.
Why FLANK for GDPR Compliance?