How to Build a GDPR Implementation Plan

Focal Point Data Risk

27 Jul 201756:09

Summary

TLDRIn this webinar, experts from Focal Point discuss GDPR compliance strategies and challenges. The presentation covers the importance of data privacy, common pitfalls in GDPR implementation, and best practices for aligning with GDPR requirements. Key topics include the definition of personal data, the need for cross-functional collaboration, and prioritizing high-risk areas. The session also emphasizes the significance of continuous communication, project management, and preparing for the May 25th deadline. A Q&A segment addresses audience queries on GDPR projects, third-party data handling, and regulatory focus areas.

Takeaways

🗓️ The presentation is structured to cover the current GDPR landscape, common pitfalls in GDPR implementation plans, and methods for building and communicating these plans within an organization.
📈 Eric Dietrich, a leader in data privacy, emphasizes the importance of a risk-based approach to GDPR compliance, focusing on high-risk processes and systems first.
🌐 Francesca Sanabria discusses the cross-functional nature of GDPR, highlighting the need for collaboration between IT, legal, and other departments in the implementation process.
🔒 The definition of personal data under GDPR is broader than traditional PII (Personally Identifiable Information), creating challenges for organizations in identifying and managing personal data.
📝 Organizations should group GDPR articles by related topics to streamline the implementation process and reduce complexity.
🛠️ GDPR implementation involves a sequence of events starting from readiness benchmarking to defining baseline standards and workflows.
📉 A common pitfall is underestimating the level of cross-functional effort needed for GDPR projects, which can lead to inefficiencies and delays.
🏢 The scope of GDPR projects should consider different types of personal data and geographic locations, with a focus on high-risk areas.
🔑 GDPR is not solely an IT or legal issue; it requires a company-wide effort with clear ownership and collaboration across departments.
🛡️ Tools and technology are important for GDPR compliance, but they must be implemented with proper workflow design and operational considerations.
⏰ Time is a critical factor, and organizations should prioritize high-risk projects and processes to meet the May 25th deadline, using a risk-based approach.

Q & A

What is the purpose of the webinar?
-The purpose of the webinar is to discuss GDPR readiness, implementation plans, and answer related questions from participants.
Who are the panelists for this webinar?
-The panelists are Eric Dietrich, Francesca Sanabria (Fran), and Katherine Kill.
What topics will be covered in the presentation?
-The presentation will cover the current GDPR landscape, common pitfalls in designing GDPR implementation plans, and methods for building and communicating these plans.
What are some common pitfalls when designing a GDPR implementation plan?
-Common pitfalls include inconsistent interpretations of GDPR articles and lack of prioritization and ownership of activities due to the cross-functional nature of GDPR requirements.
Why is a risk-based approach recommended for GDPR compliance?
-A risk-based approach helps prioritize high-risk processes and systems, making it more practical to address the most critical areas first and gradually work towards full compliance.
What are the key components of an effective GDPR implementation plan?
-Key components include defining project owners, collaborating departments, clear prioritization, estimated resources and costs, and dependencies with other projects.
What challenges do organizations face when implementing GDPR requirements?
-Challenges include broad definitions of personal data, complex scoping activities, cross-functional coordination, and managing timelines to meet GDPR deadlines.
How should organizations prioritize GDPR-related projects?
-Organizations should focus on high-risk systems and processes, considering factors such as the sensitivity of personal data, volume of records, and whether systems are managed internally or externally.
What are some examples of concurrent GDPR projects that can be performed?
-Examples include security activities like encryption implementation and governance functions like creating policies and procedures.
What steps should be taken to ensure third-party compliance with GDPR?
-Organizations should review and update contracts with third parties to include GDPR compliance clauses and may rely on certifications like ISO or SOC 2 for assurance of security practices.