By May 25 2018 you should have put in place a Privacy Management System to be compliant with GDPR and be able to show it
The complexity of the many requirements, the wide scope of application (data and applications), and the limited timeframe and resources available imply that a sound Program Management is a key success factor
B y May 2018 you will have likely implemented most part of the framework, and started checking it.
No matter why and how, what you should focus on is keeping it going as a rolling overall process which is improving over time and producing all the accountability trails required by the GDPR.
It is not a 14 months exercise, it is a new regime of data protection looming on EU and beyond.
11. Sample roadmap cont’d
Compliance in US, the review of the privacy governance framework is temporarily on
hold, late as the current framework is incomplete
ICT is leading an IT assessment and is updating the company IT asset inventory with
privacy metadata; privacy by design already in place, no data breach mgt in use yet
More than 30 countries, still lack of endorsement from the Board
global
manufacturer,
market-leader
Privacy function led an early self-assessment in 4 continents to assess privacy gaps in
minor countries
Early awareness to the Board, strong culture of IT risk & audit, global framework under
review, model organization under review, scouting of GRC tools in progress
global large
manufacturer
Early program management exercise to identify priorities
Early awareness to the Board
Governance framework under review
IT assessment postponed, Internal Audit in the working team, no DPO appointed yet
mid-size online
bank
Late start, IT is leading an initial assessment with the support of compliance
Limited initial budget, and sharp focus on critical data processing areas
Organizational model to review, no DPO appointed yet
italian
pharmaceutical
service provider
Group with more than 90 operative companies in 3 continents, half of which IT service
provider in different industries: telco, media, healthcare, public administration…
Strong endorsement from the Board, structured communication plan
Data mapping in progress, global framework and organizational model under review
(local DPO)
Legal tracking activities in progress, IT assessment of central services under planning
global ICT
consulting and
service provider
12. Sample macro-plan illustrative
Hypotetical Launch in January 2017
Program Master Plan
Program Tasks in 3 phases *
2017 2018
Jan-17 Mar-17 Jun-17 Sep-17 Dec-17 Jan-18 Mar-18 May-18
16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
Kick-Off of the GDPR Program
Set Vision, Strategy, Team and Plan
Consensus of the Board, Comm. Plan
Develop the global Governance
Framework and the Organizational Model
Local Legal Tracking, ICT Assessment
Ad-Hoc PIA, Remediation Plan
Implement the global Framework locally
Train management and employees
Test activities customer-faced
Audit Framework, Implement changes
GDPR Program implemented
PlannedBaseline Major MilestoneMilestone
Privacy
Management
System
auditable
Plan approved, Team operative
Launch
Program Timeline
Count-down
Board aware, Communication Plan
Global Model, Guidelines, Standards, Procedures
Major Remediation Plans
Controls Implemented
Employees trained
Framework in all Countries
25 May 2018
* Illustrative macro-plan, a detailed plan is largely dependent on the company Context, Strategy and Team
End
TODAY
13. People * Role *
Program
Coordination and
Quality Assurance
Program
Auditing and
Approval
Program
Implementation
Steering
Committee and
Sponsors
‒ Chief Privacy Officer
‒ Privacy and Security Practitioners
‒ Company Areas Privacy Champions
‒ Specialized 3 Parties and consultants
‒ Data Protection Office(r)
‒ Internal Audit
‒ Specialized 3 Parties and consultants
‒ GDPR Program Manager
‒ Board, Heads of Departments and
other Stakeholders (e.g. Mktg, HR,
Compliance, Legal, ICT, Ops.)
‒ Coordination, communications, escalation management
‒ Interface towards Stakeholders and the Working Team
‒ Support the DPO for Program quality assurance
‒ DPO: check and approval of intermediate/final
deliverables
‒ IA, 3Ps: if present, support DPO for ensuring the
auditability of the Privacy Management System
‒ Vision, Strategy and Goals Setting
‒ Endorsment and Program Visibility
‒ CPO: lead and coordinate and supervise the working team,
interface with DPO and Program Manager
‒ Practitioners, i.e. working team: develop the framework
documentation, perform the info gathering (interviews,
workshops), deliver assessments and remediation plans
‒ Areas Champions: support the working team, sharing and
preliminary validation of partial outcomes
‒ 3Ps, Consultants: support the working team
Sample team illustrative
* Illustrative team for a large company, in smaller companies roles and responsibilities could be aggregated