Top 10 Steps to Operationalize the GDPR

Being GDPR ready is a task which extends beyond the privacy or compliance team and requires the involvement and cooperation of the entire organization to take compliance with the GDPR from theory to practice. 

Extract from article by Mark Webber and Hannah Blake

With the implementation of the EU General Data Protection Regulation (GDPR) less than a year away being ‘GDPR ready’ is a key focus for many organizations. But this task is one which extends beyond the privacy or compliance team, it requires the involvement and cooperation of the organization to take compliance with the GDPR from theory to practice.

Even those who’ve pushed through data mapping are starting to realize: it’s one thing to have a core privacy team on top of GDPR, but a mammoth task operationalizing the GDPR throughout an entire organization.

To help, here we provide the top 10 steps to operationalise the GDPR in your organization.

  1. Understand your organization’s governance – rally support!
  • Key stakeholders

If the highest level of management within an organization sets privacy as a key priority it will help to set the tone of privacy in your organization. They could even go as far as to implement a privacy strategy or make a privacy mission statement. Involvement and support at this level will promote and push forward the compliance process, encouraging involvement and education of employees and assignment of tasks. Maintaining such a policy will dictate privacy’s involvement in day to day operations.

In other businesses, we see other compliance champions.  Sales guys love to sell and if they feel deal friction from privacy and Q2’s figures are suffering because of Article 28 you can bet they want to smooth that process and perhaps even lead and sell with compliance.  Seek out those impacted and build a coalition.

  • Key individuals

In addition one of the first key questions your organization should ask when looking at their governance structure is ‘Does this organization need a Data Protection Officer (DPO)?. This is a key role under the GDPR and unless it is obvious that your organization does not need to appoint one an organization should document the reason for its decision.

Everyone within an organization has various specialisms related to privacy and responsibility should be assigned accordingly to create a network of people who manage the day to day impact of privacy within your organization. A clear and coherent governance structure will ensure a smoother transition to GDPR compliance.

Additional Reading:

ComplexDiscovery combines original industry research with curated expert articles to create an informational resource that helps legal, business, and information technology professionals better understand the business and practice of data discovery and legal discovery.

All contributions are invested to support the development and distribution of ComplexDiscovery content. Contributors can make as many article contributions as they like, but will not be asked to register and pay until their contribution reaches $5.