Home » Methodology

Implementing the GDPR within an organisation, be it small or large, and handling simple or complex processes, is primarily about knowledge and change management.

As such this is best compared to the process of implementing fiscal rules and regulations. Both GDPR accountability and fiscal accountability require the cooperation of all employees, the registration of each relevant occurrence, complete transparency and an iterative approach that is based on a Plan-Do-Check-Act cycle.

The Privacy Factory has translated this cycle into a role-based GDPR implementation strategy, executed by the Inspector, Policy maker, Planner and Controller roles.

role based

Inspector

An informed impression of an organisation's GDPR context

Preliminary investigation

Preliminary investigation

During the preliminary investigation, applicable laws and regulations are identified, as well as the locations of data files. Also, an inventory is made of the business processes involving (processing of) personal data.

This requires a three-step procedure in which the software applications being used in each department are identified, including the business processes supported by each application.

Processings

Documenting these processing operations is aimed at creating a ‘Register of processings’ which, apart from describing the objectives of processing, lists – among other things – all relevant filing systems and the name-address-city information of processors and third parties. This register is what, in the Planner phase, assigning privacy activities to specific processings will be based on.

register of processings

Policy maker

Getting everyone on the same GDPR page

Mission and rules of conduct

The Policy maker phase is where, prior to drawing up the main objective planning, the privacy mission and associated privacy rules of conduct are defined. The result is a policy framework serving as a “compass” in assigning and carrying out privacy activities.

policy
Main objective planning

The main objective planning, on the other hand, is driven by the results of a Privacy Quickscan survey conducted among stakeholders within the organisation. This planning outlines a general prioritisation of privacy activities to be carried out.

hoofddoelplanning

Planner

Assigning privacy tasks to members of the privacy team

In the Planner phase, focus is on assigning privacy tasks to members of the privacy team and on the subsequent performance of these tasks. The team is made up of employees selected on the basis of how well they are equipped to carry out the planned privacy activities, in terms of knowledge and skills.

In total, there are 57 mandatory activities organisations are required to carry out under the General Data Protection Regulation. For each activity, frequency of performance and necessary means of proof are recorded.

Controller

Monitoring the timely, complete and accurate performance of privacy activities

The Controller phase is the final stage of the TPF methodology. In this phase, focus is on monitoring the timely, complete and accurate performance of privacy activities and iterative assessment of results from the previous Inspector, Policy maker and Planner phases. Iterative, because processing personal data is by nature subject to change, so the assessment needs to follow this same dynamic.

Questions?

We are happy to help you.

Close Menu
cookie

We use only functional and analytical cookies to ensure that we give you the best experience on our website. This means that our cookies do not collect personal data. Learn more.