As such this is best compared to the process of implementing fiscal rules and regulations. Both GDPR accountability and fiscal accountability require the cooperation of all employees, the registration of each relevant occurrence, complete transparency and an iterative approach that is based on a Plan-Do-Check-Act cycle.
We have translated this cycle into a role-based GDPR implementation strategy, executed by the Inspector, Policy maker, Planner and Controller roles.
During the preliminary investigation, applicable laws and regulations are identified, as well as the locations of data files. Also, an inventory is made of the business processes involving (processing of) personal data.
This requires a three-step procedure in which the software applications being used in each department are identified, including the business processes supported by each application.
The Controller phase is the final stage of the TPF methodology. In this phase, focus is on monitoring the timely, complete and accurate performance of privacy activities and iterative assessment of results from the previous Inspector, Policy maker and Planner phases. Iterative, because processing personal data is by nature subject to change, so the assessment needs to follow this same dynamic.