Implementing the GDPR within an organisation, be it small or large, and handling simple or complex processes, is primarily about knowledge and change management.
As such this is best compared to the process of implementing fiscal rules and regulations. Both GDPR accountability and fiscal accountability require the cooperation of all employees, the registration of each relevant occurrence, complete transparency and an iterative approach that is based on a Plan-Do-Check-Act cycle.
The Privacy Factory has translated this cycle into a role-based GDPR implementation strategy, executed by the Inspector, Policy maker, Planner and Controller roles.
An informed impression of an organisation's GDPR context
During the preliminary investigation, applicable laws and regulations are identified, as well as the locations of data files. Also, an inventory is made of the business processes involving (processing of) personal data.
This requires a three-step procedure in which the software applications being used in each department are identified, including the business processes supported by each application.
Documenting these processing operations is aimed at creating a ‘Register of processings’ which, apart from describing the objectives of processing, lists – among other things – all relevant filing systems and the name-address-city information of processors and third parties. This register is what, in the Planner phase, assigning privacy activities to specific processings will be based on.
Getting everyone on the same GDPR page
The Policy maker phase is where, prior to drawing up the main objective planning, the privacy mission and associated privacy rules of conduct are defined. The result is a policy framework serving as a “compass” in assigning and carrying out privacy activities.
The main objective planning, on the other hand, is driven by the results of a Privacy Quickscan survey conducted among stakeholders within the organisation. This planning outlines a general prioritisation of privacy activities to be carried out.
Assigning privacy tasks to members of the privacy team
In the Planner phase, focus is on assigning privacy tasks to members of the privacy team and on the subsequent performance of these tasks. The team is made up of employees selected on the basis of how well they are equipped to carry out the planned privacy activities, in terms of knowledge and skills.
In total, there are 57 mandatory activities organisations are required to carry out under the General Data Protection Regulation. For each activity, frequency of performance and necessary means of proof are recorded.
Monitoring the timely, complete and accurate performance of privacy activities
The Controller phase is the final stage of the TPF methodology. In this phase, focus is on monitoring the timely, complete and accurate performance of privacy activities and iterative assessment of results from the previous Inspector, Policy maker and Planner phases. Iterative, because processing personal data is by nature subject to change, so the assessment needs to follow this same dynamic.