A four-phase plan for the practical implementation
1. “Gap” analysis
As a first step, the company has to analyze its existing data protection standards. These must be compared with the data protection requirements of the GDPR. In this context of gap analysis, all shortcomings in relation to the requirements of the GDPR should be identified and eliminated.
2. Risk analysis
Since GDPR follows a risk-based data protection approach the scope of the company’s data protection obligations depends on the risk potential of the processing activities with regard to the protection of the rights and freedoms of the data subjects. In addition, the implementation of the new data protection standards will require a high degree of effort, so that the obligations cannot all be implemented at the same time. Therefore, companies should examine which processes are the most risky ones and must therefore first be brought in line with the GDPR guidelines.
3. Project conception
On the basis of the project plan, an internal data protection organisation will be conceived, through which the requirements of the GDPR will be implemented and which should include a binding, GDPR-compliant data protection policy. The concept should take into account the budget and resources for the reorganisation, including legal and IT costs and the necessary staffing requirements. If already in place, the data protection officer can be of great assistance at this stage.
The company should assign project responsibilities to key employees in the most affected business areas and offices and appoint an overall project manager.
As a final step, the GDPR-compliant data protection standards will be introduced in the company on the basis of this project.