TRUSTe has developed an education series designed to provide you with a path to achieving GDPR compliance. This multi-part program provides both guidance on what to do, along with options for helping you get it done.
Step 3: Develop Plan
In Step 3 of Your Path to GDPR Compliance, we leverage the progress and results from Step 1: Assess Readiness and Step 2: Build Consensus to answer the question, “How do I build a plan that’s prioritized based on risks and accounts for level of effort?”
Several things must happen at this stage to develop an effective plan including:
- Conducting a risk analysis
- Conducting a level of effort (LOE) analysis
- Creating a project plan
By investing the time up front to perform the proper analysis and planning, you can be confident that your GDPR Compliance Program will efficiently and effectively mitigate risk while meeting your company’s business objectives.
A. Conduct Risk Analysis
Under Section 3, Article 35 of the GDPR, a Data Protection Impact Assessment (“DPIA”, which is also commonly known as a Privacy Impact Assessment or “PIA”) is required for any processing that may result in “high risk”. “The supervisory authority shall establish and make public a list of the types of processing operations that require a DPIA.”
While official public lists from the Data Protection Authorities (“DPAs”) are forthcoming, the following are common questions to begin to identify areas of risk, including “high risk”. These particularly reflect the more stringent GDPR requirements.
- Security / Data Protection. Are the necessary data protection controls in place, e.g., encryption, data loss prevention, enhanced access control, anonymization?
- International Data Transfers. Are all transfers protected according to the appropriate data transfer mechanism in place (i.e., under Model Contract Clauses, Binding Corporate Rules, EU-US Privacy Shield if ratified, Consent, or other)?
- Vendor Management. How do the vendors in your data flow manage the personal data? What stated data privacy and security policies and controls are in place? Can they be verified?
- Mergers & Acquisitions. What data privacy and security processes are in place at the merged or acquired company? Is there discrepancy between the processes at your organization?
- Large Scale Processing: Are there any profiling processes in place? Is there systematic monitoring of publicly accessible areas or special categories (i.e., genetic, biometric data, criminal records)?
- Conversions & System Changes. Have or will there be conversion of records from paper-based to electronic form? Or conversion of info from anonymous to identifiable form? Have or will there be system management changes with new uses or applications of technology?
- Database Changes. Have or will there be merging, matching, manipulation of multiple databases with personal data (e.g., between subsidiaries or in M&A context)? Or incorporation into existing databases of personal data obtained from commercial or public sources?
With gaps identified from the initial GDPR Readiness Assessment in Step 1 and from a deeper dive risk analysis as discussed above, you can build a table of gaps organized by risk level – Low, Medium, and High.
Example Table of Gaps with Risk Level
Assessing levels of risk will be highly dependent on the priorities that your organization attributes to certain components. A strong understanding of the current legal and regulatory environment is also essential to proper risk level determination. Common risk categories to keep in mind when assigning risk levels are legal, regulatory, political, operational, strategic, market, credit, reputational, event, and country-specific risks.
You can build your own templates for this analysis or leverage those available in data privacy management platforms like the Assessment Manager, with built in workflows to guide you through the process.
B. Conduct Level of Effort (LOE) Analysis
For each gap, you’ll then need to identify specific remediation actions and estimate Levels of Effort (LOEs) – Low, Medium, and High. By mapping the Risk Levels to the LOEs of each activity, you can start grouping activities in a Risk / LOE matrix to help visualize your plan’s priorities.
Example Risk / Level of Effort Matrix
C. Build the Project Plan
Armed with the results of the gap, risk and LOE analysis, you can then build a project plan against a timeline for completion. The plan should take into account:
- The privacy team’s stated goals – short, mid, long-term
- Budget and people resources available
- Prioritization for work on “high risk” areas
- Sufficient period for activities with higher LOEs and longer implementation times
- GDPR developments and likely enforcement milestones
- Ability to leverage other frameworks such as the EU-US Privacy Shield (once ratified) as a way to meet EU data transfer requirements and cover a large percentage of the GDPR requirements at the same time
A GDPR Project Plan will be highly-specific to each organization, but here’s an example of what a prioritized plan may look like as a targeted schedule in Gantt chart format.
Example of a Prioritized GDPR Project Plan
TRUSTe provides informational resources to help you develop your organization’s GDPR plan. Some organizations may find that they could benefit from an outside consultant, with significant in-house experience building complex privacy programs such as the GDPR, to help with the project planning process outlined above.
TRUSTe’s privacy consultants can work with you to conduct the entire process – including a risk analysis, level of effort analysis, and a prioritized project plan – through the GDPR Strategic Priorities Assessment. TRUSTe’s privacy consultants leverage the power of the Assessment Manager technology platform to guide the GDPR assessment workflow process and track the company’s progress against GDPR requirements.
Once the prioritized plan is in place, you’ll be in solid position to start “Step 4: Implement Programs” to be covered in a subsequent blog post.