GDPR Project Plan Template For Complying With The EU

Overview

Following the creation of the GDPR, complying with its statutes has become a must for all EU organizations, or ones who have dealings with customers in the EU.

This massive endeavour requires a detailed plan that takes into consideration the many requirements, timelines, milestone tracking, risk and gap assessments, and many more issues.

A robust implementation plan is necessary to comply with the many statutes and regulations.

Project Plan

The goal of the project plan is to answer the basic three PMO questions : 

• What needs to be done?
• Who needs to do it?
• When?

The plan also aims at presenting the status of the tasks, the dependencies between them and allow the owners to raise any issues that they think may impact the timeline of their tasks.

Once all these fields are updated, it will be possible to extract additional information from the plan like critical chain, potential blockers, bottlenecks, and overall risks.

Documents Required for GDPR Implementation

1. Personal Data Protection Policy:

Article 24 of the GDPR. This is a high-level document for managing data privacy in the company. It explains what the company seeks to achieve and how.

2. Privacy Notice:

Articles 12, 13, and 14 of the GDPR. Privacy Notice is how all the personal data that’s collected from non-employees will be processed.

3. Employee Privacy Notice:

Articles 12, 13, and 14 of the GDPR. Same as point b. above, but for the employees of the organization.

4. Data Retention Policy:

Articles 5, 13, 17, and 30 of the GDPR. Explains for how long the personal data will be stored and how it will be disposed of once that time is up.

5. Data Retention Schedule:

Article 30 of the GDPR. Data Retention Schedule is a list of all the personal data that is currently stored, and a timeline for each regarding how long it will be stored.

6. Data Subject Consent Form:

Articles 6, 7, and 9 of the GDPR. Allows the organization to obtain and process personal information from individuals while explaining to them the parameters of the Data Retention Policy (point d. in this document).

7. Parental Consent Form:

Article 8 of the GDPR. This applies to people under the age of 16 and is the same as point f. above.

8. DPIA Register:

Article 35 of the GDPR. Stores all of the results of the Data Protection Impact Assessment.

9. Supplier Data Processing Agreement:

Articles 28, 32, and 80 of the GDPR. Lays out the data processing policy your organization will have with any other 3rd party vendors, suppliers, etc.

10. Data Breach Response and Notification Procedure:

Articles 4, 33, and 34 of the GDPR. Data Breach Response and Notification Procedure explains what to do before, during, and after a data breach.

11. Data Breach Register:

Articles 4, 33, and 34 of the GDPR. Data Breach Register is a record of all the data breaches that your has organization encountered.

12. Data Breach Notification Form to the Supervisory Authority:

Article 33 of the GDPR. In case of a data breach, this will explain how to notify the Supervisory Authority formally.

13. Data Breach Notification Form to Data Subjects:

Article 34 of the GDPR. Same as point l. above but how to notify the individual people whose data was breached.

Documents That May Be Required for GDPR Implementation

In certain conditions, the following documents may also be required:

1. Data Protection Officer Job Description:

Articles 37, 38, and 39 of the GDPR. The organization may need to hire a DPO if any of the following conditions apply –

• The processing is carried out by a public authority or body, except for courts acting in their judicial capacity.
• The core activities consist of processing operations that require regular and systematic monitoring of data subjects on a large scale.
• The core activities process on a particular large-scale category of data and personal data relating to criminal convictions and offenses.

2. Inventory of Processing Activities

Article 30 of the GDPR. A record of all the processing activities done to the personal data records. Required only if –

• The company has more than 250 employees.
• The processing the company carries out is likely to result in a risk to the  rights and freedoms of data subjects.
• The processing is not occasional.
• The processing includes special categories of data.
• The processing consists of personal data relating to criminal convictions and offenses.

3. Standard Contractual Clauses for the Transfer of Personal Data to Controllers:

Article 46 of the GDPR. Required only if the organization plans on transferring any personal data to an entity (controller) outside of the EEA.

4. Standard Contractual Clauses for the Transfer of Personal Data to Processors:

Article 46 of the GDPR. Required only if the organization plans on transferring any personal data to an entity (processor) outside of the EEA.

Required Fields in the Project Plan

The plan must include the following information:

1.Documents:

The documents that must be filled in, and the documents that may be required to be filled in (the documents must specify the article numbers)

2.Clauses:

Specific clauses that are required for the organization, as a result of its area of expertise, industry regulations and countries it does business with. E.g.: Brexit, mining companies, etc.

3.Gap analysis:

Answers the question: “Where are we now, and where do we want to go?”. Basically, it is a list of requirements that are either checked (we have them) or un-checked (we don’t have them)

4.Risk analysis:

Maps the recognized risks, along with their probability (%), impact (1 to 5), mitigation and score (for ranking their severity)

5.Allocation of resources:

Assiging the owners to each task.

6.Data protection standards:

Tracks the documents that are all filled in correctly.

GDPR Obligations Include:

1. Data Control:

Organizations must take the following actions to ensure the confidentiality of the subject:

• Always use data for purposes that have been approved.
• Ensure data integrity and accuracy.
• Minimize the disclosure of subject identities.
• Put data protection safeguards in place.

2. Data security:

Organizations must put them into practice to order to protect the subject's privacy:

• Safeguarding data for future processing
• Information security measures
• Based on risk analysis, safety is a contractual demand.
• Authentication.

3. The right to be Ensured:

Subject data can't be kept forever. GDPR requires GDPR requires GDPR requires organizations required by GDPR to delete all data from across all repositories when entirely delete all data from all repositories when:

• Clients withdraw their consent.
• A joint venture asks for the erasure of data.
• The conclusion of service or agreement.

4. Diligence and Risk Mitigation:

Organizations must assess the threats to privacy and security and show that they are taking precautions to reduce those risks. Businesses must:

• Make a risk analysis.
• Put steps in place to guarantee and show compliance.
• And actively assist partners and customers from third parties to comply.
• Show complete data control.

5. Notification of a Breach:

Organizations must: in the event of a security breach.

• Within 72 hours, notify the authorities.
• Describe the fallout from the breach.

Conclusion

The project plan for the General Data Protection Regulation (GDPR) should include a thorough analysis of the organization's data protection processes, identification of potential risks, and implementation of necessary changes to ensure GDPR compliance.

A GDPR project plan that is successfully implemented can increase customer trust while also protecting the organisation from potential fines and legal consequences.