2/19/16 - EU GDPR: What To Do, When To Do It
Home > News & Insights > Insights

2/19/16 - EU GDPR: What To Do, When To Do It

Do Now: Start the Change Process

Become familiar with the GDPR and raise awareness of its significance by:

  • Identifying elements of the GDPR that are most likely to affect your organization, particularly in relation to: business strategy, infrastructure and IT planning, new market ventures, and business-model development
  • Developing a vision of the changed business and preferred outcomes for the organization in the context of the GDPR
  • Communicating key messages about the GDPR with senior internal stakeholders

(See Promontory’s EU GDPR: A Primer for further details.)

By Spring 2016: Initiate the Program

Set out a GDPR change-program plan by:

  • Obtaining a mandate from decision-makers to establish the change program
  • Establishing the activities needed to achieve the required change, and the resources required
  • Defining success criteria for the program and activities to be undertaken
  • Formulating a program approach and governance structure
  • Recognizing the interdependencies between this change and other initiatives underway or planned
  • Understanding the need to manage the change program while maintaining business as usual
  • Establishing a stakeholder-management plan and engaging key people in the business about the changes required

Identify strategic and critical questions for immediate consideration, such as:

  • Location of the organization’s main establishment
  • Appointment of a data protection officer
  • Risk appetite in the context of higher maximum fines
  • Potential impact of the U.K exiting the European Union after a referendum

Identify GDPR hot topics in relation to personal-data processing that are critical to your business model, for instance:

  • Lawfulness of processing, in particular the use of consent or legitimate interests
  • Processing of children’s data
  • Processing of special categories of data, or data related to criminal offenses and convictions
  • Use of automated decision-making, including profiling
  • Organization as a data controller and/or processor
  • Conditions for transfers of personal data to third countries
  • Data processing for specific situations, such as for journalistic, scientific, or statistical purposes

By End of 2016: Mid-Program Checkpoint

Establish the state of play of the program by:

  • Assessing progress against program activities and objectives
  • Reviewing the management of identified risks and issues that may present obstacles to success
  • Communicating with stakeholders and ensuring that their expectations are aligned with what is being delivered

Prepare for the remainder of the program by:

  • Anticipating the cultural change needed to make the transition to the GDPR
  • Starting to embed new operational capability so that benefits can be realized and potential costs mitigated
  • Monitoring the GDPR as it continues to evolve through emerging guidance, secondary legislation, member state carve-outs, and court rulings

By Spring 2018: Full Readiness for GDPR

Confirm program closure by:

  • Checking completion of all activities against plans and success criteria
  • Ensuring business as usual has transitioned to the new target-operating model and that redundant processes and operations have ceased or are winding down
  • Activating new policies and procedures ahead of GDPR go-live, and generating management information
  • Updating program information, including obtaining and recording the acceptance of any outstanding risks and issues
  • Informing stakeholders of the conclusion of the change program and the transition to business as usual

Ensure that all GDPR change-management work is documented so that evidence can be provided as required to internal stakeholders, internal audit, and regulators. Assign responsibility for managing and monitoring the application of the GDPR in the organization and continue to examine how the benefits of the new rules and operating model can be best realized.

Contact Us

Promontory assists companies throughout the full life cycle of building, managing, and sustaining privacy and data protection governance programs. For more information about how we can help your organization enhance its GDPR practices, please contact a senior member of our privacy and data protection team:

John Bowman
Senior Principal, London
jmbowman@promontory.com
+44 207 997 3417

Robert Grosvenor
Director, London
rgrosvenor@promontory.com
+44 207 997 3407

Marc Loewenthal
Director, San Francisco
mloewenthal@promontory.com
+1 415 291 2679

Simon McDougall
Managing Director, London
smcdougall@promontory.com
+44 207 997 3456

Michael Spadea
Director, San Francisco
mspadea@promontory.com
+1 415 291 2671


Subscribe to Promontory Sightlines and publications Follow Promontory on Twitter @PromontoryFG 

News & Insights Search