GDPR Compliance Project

Implementation of the General Data Protection Regulation

The Client

International management and technology consulting firm – London, United Kingdom

My Role

Project Manager

The Business Challenge

The General Data Protection Regulation was written into law in 2016 and becomes enforceable from 25 May 2018. Any organisation that handles personal data is required to comply with this regulation.

The Solution

The project addressed a number of areas such as risk reviews for projects, customer engagements, and supplier contracts, to identify any improvements for the management of personal data. In addition, all policies were updated and a number of new ones created to ensure the compliant handling of personal data.

The Business Benefits

In addition to organisation complying with the law, this project has built increased trust from employees and customers, there is an improvement in the quality of data e.g. sales contacts, the improvement in a number of business processes, and the achievement of a new British Standard.

Assessing Risk

The risks associated with the processing of personal data throughout the organisation needed to be identified and managed. This was done by performing a Data Protection Impact Assessment (DPIA) on various areas of the business. The DPIA identified – amongst other things –  the business processes that involved personal data, where the personal data originated from, how the personal data was being used, what the legal basis was for processing the personal data was, and what the risks to the data subject were in the processing of this data.

The DPIA was then used to ensure that the necessary organisational and technical measures were in place to correctly manage these risks

Achieving a new British Standard

One of the key workstreams of this engagement was the implementation of a Personal Information Management System (PIMS) which ensures that personal data within the organisation is appropriately managed. This system comprising of people, process, and technology aspects was implemented in all business functions.

This system underwent an independent review by the British Standards Institution (BSI), resulting in the organisation being awarded the BS10012:2017 standard, the first global organisation to achieve this standard.

Establishing Effective Governance

Implementing an effective personal information management system and complying with the GDPR is not something that the IT or Legal business functions can do in isolation. A concerted and coordination effort, across all business functions is required. To facilitate this an Executive Sponsor was appointed, a Steering Committee established, and GDPR Champions identified within the various business functions.

Training was also important and as part of a larger change management intervention mandated training was provided to all employees.