Part 3 of a series
By Jacky Wagner, Managing Director; John Mendon, Director; and Rachel Thompson, Manager
As the May 18 deadline for GDPR implementation draws just a few months away, the urgency to complete remaining tasks grows even stronger. In Part 2 of this series, we described how you can create a cross-functional General Data Protection Regulation implementation team and, by now, you should have a list of GDPR readiness gaps – an assessment of the state of your business in relation to GDPR requirements. You should also have a dedicated, cross-functional project team in place, with a sponsor, a steering committee and an assembly of ground troops.
The next step? Create a project plan. Because the challenge of preparing for GDPR is unique and specific to each organization, it is impossible to apply a cookie-cutter approach to project planning, and you will need to remain flexible. Yet, as with any journey of this magnitude, there are some common project management steps to consider:
1) Create a series of logically grouped activities, or "projects"
GDPR preparation activities will overlap and have similar dependencies. There will also be different parts of the organization involved in multiple activities. Accordingly the project plan should be broken down with a primary - and accountable- project owner for the workstream at the top , such as privacy, procurement, human resources or other key departments.
To make these projects easier to independently manage, consider breaking them down even further into a series of smaller workstreams. Once these projects are in place, a program management office (PMO) can establish an integrated GDPR schedule, highlighting key milestones and key dependencies across all teams.
Some examples of potential GDPR projects and workstreams include:
Data lifecycle and risk management
Data processor accountability
Governance, policies and processes
2) Scope and prioritize workstreams
All companies are unique and have different risk profiles, meaning GDPR plans will look different for each organization. For example, a consumer-facing company might have a larger project for data subject access rights than business-to-business organizations, while a company working primarily with a European Union workforce may be more concerned with human resources data than companies that are primarily selling product in the EU without employing large numbers of people there. That’s why the key is figuring out which data in your particular organization will be impacted by GDPR, then deciding what a remediation plan should look like.
Many companies, particularly those which deal with consumers, are conscious of having their externally facing privacy notices up-to-date, and rely on having compliant-consent mechanisms in place. But before you start updating your notices and consents, you should ensure you have properly conducted your data discovery to understand data flows. This process also allows you to fully understand the scope of processing activities connected to the point of collection, as well as the downstream uses.
In addition, you should run a legitimate interests analysis to understand what collection practices are based on consent. Finally, you should also consider internal procedures. For instance, does your business have its internal housekeeping in order? Can it support the promises made to customers in your notices?
3) Estimate the level of effort for each activity
Understanding the time commitment necessary to complete all necessary tasks is one of the biggest challenges on the path to GDPR readiness. Until you break down the tasks into quantifiable estimates, it is impossible to know what skills you will need, how many people will be involved, or the number of hours required to get everything done.
We suggest breaking activities down into manageable chunks of work, typically one day to one week. Resist the urge to create tasks that are too small, as they can become tedious to manage. Conversely, with tasks that are too large, you may find it difficult to create accurate estimates.
It is important to have the right people creating the estimates for how long each project will take. For instance, you should not have a member of the legal team estimating how long it will take to do an IT project, or vice versa.
The goal is to ensure you have dedicated the right skill sets and resources to each project. The process likely will take many iterations and reviews.
4) Assign resources to specific activities
Once you have grouped GDPR-related activities into projects, gotten a handle on dependencies and constraints, and estimated the time it will take to get each project done, it is time to assign resources. Whenever possible, assign specific resources instead of a team or resource pool. If you do use a “pool” of employees for a specific project, it is important to understand their total available hours to ensure the team is not overscheduled. Whatever method you choose, the plan should be leveled, which is a technique for ensuring assigned hours are flat-lined across the project timeline based on resource availability. This should take into account other assignments outside of the GDPR project, as well as holidays and planned time off.
Once you have created your plan, and it has been approved by project stakeholders, it is important to baseline it. This will help measure progress on a week-to-week basis, and help react to changes as each project progresses. You will need to not only have a plan, but an executable roadmap with task owners.
The project management office should create an ongoing schedule management function to drive activities on a weekly basis, run “what-if” analyses, provide reporting and deal with inevitable changes that occur on a project of this size and complexity. The goal is to ensure you have the right skill sets and resources dedicated to each project.
No matter what plan you develop, it will never go off perfectly. While well-defined goals and guidelines are essential, so is flexibility – the ability to manage and adapt as the landscape changes. With the clock ticking toward the May 2018 deadline, the time to act is now.