How to create a successful GDPR compliance program: The execution

Mar 1, 2019 12:00:00 AM | Creating a Privacy Program How to create a successful GDPR compliance program: The execution

In the previous blog post, we talked about the preparatory phase of creating a GDPR compliance program for your organisation. Now it is time for the next step: the execution of the plan. In this blogpost, we will give you tips about how you can roll out a successful GDPR privacy compliance program within your organisation.

Copy of Copy of Prepare for a successful GDPR compliance program-1

1. Get the programme managed: that too, is a job on its own

A good privacy officer is not necessarily a good program manager. So when getting your team together, consider hiring someone for the latter role, especially in large, complex organisations. You can focus on the subject matter and leave the organisation of the work to someone else. That can be a great relief to you and it can improve the effectiveness of the overall program by giving content and process equal weight. Remember that you need not and cannot be a specialist in all fields that are connected to, and relevant for privacy governance.

2. Build on existing foundations: there’s stuff that you can reuse

The privacy governance framework may not be there, but other procedures will be. If the foundation is already there, why build a new one? Try to identify the most ‘aligned’ existing procedures and policies and build on them. That supports recognition, facilitates efficiency and increases return on investment. In many cases, there will already be extensive security policies, and these can be extended to match the needs for a GDPR privacy compliance program.

3. Be a people person: you need allies, lots of them

Privacy governance and privacy awareness are ninety percent communication. You need to team up with a lot of people in order to have eyes and ears across the whole organisation. This will pay back in terms of reduction of liabilities, created by the tunnel vision of individual departments. Informal communication lines are a must-have to get the information you need. People have to be able to find you in order for you to build your inventories and ask you if an envisaged processing activity can be carried out.

4. What a surprise: all of a sudden, there are data breaches

Miraculously, after training the HR department, you get notified of (potential) breaches. Yes, breaches happened before, but they were not identified as such, so they never reached your desk. Training people means raising awareness, which will pay out - because an unnotified breach is a bigger liability than one that ends up on your desk. But note that this increase in breaches could be used against you at first. Prepare the Board to information that has been uncovered up till now. Understand that this is a sign of strength and not of weakness.

5. Switching initiative: people will follow your example

Once there is sufficient knowledge about the GDPR in your organisation, people will start contacting you spontaneously. Instead of having to be the ‘no saying’ privacy officer, you can switch roles. Questions will be formulated more carefully because people start realising that a project may have severe privacy implications. They will suggest themselves that maybe it’s not such a good idea after all. In such an atmosphere, you can be the ‘enabling’ party, helping to create the circumstances under which the project is possible after all.

In the next blogpost, we will take you through the last step of building your GDPR compliance program: the communication phase.

This blogpost series is based on our whitepaper about creating a successful GDPR privacy compliance program in collaboration with Annemarie Vervoordeldonk, an experienced DPO who has worked for several multinationals and has started her own business with which she provides consultancy and “DPO-as-a-Service”. 

Want to know more about the whole process of creating a GDPR privacy compliance program? Download the full whitepaper here.