How to create a cross-functional GDPR implementation team

Part 2 of a series

By Jacky Wagner, Managing Director; John Mendon, Director; and Rachel Thompson, Manager

Overview

Achieving GDPR readiness, no matter your industry, requires more than simply tasking your company’s legal team to address the issue. Much like it takes a variety of skilled tradespeople to build a house – electricians, plumbers, carpenters and more – complying with the EU’s General Data Protection Regulation requires buy-in from executives throughout your organization, with responsibilities spread across many functions ranging from human resources to legal to audit and finance.

In Part 1 of this series, we talked about the importance of establishing good project governance on your journey to GDPR readiness. In this post, we will show you why – and how to do it. It is critical to get the right people involved and empower them with the tools, resources and decision-making power they need to get the job done.

When setting up a cross-function GDPR team, we suggest four steps:

Find a GDPR program sponsor. It cannot be an honorary title, but should be someone who will oversee and drive your company’s overall GDPR readiness program, someone who will put his or her neck on the line to ensure the program is ready and fully implemented by May 2018. Selecting the right person for this role is essential. It must be someone who can rally the organization behind the effort, and has the seniority and authority to secure necessary funding. Each organization must evaluate who is the best person for this job and in the long term, this person will also likely be the ongoing sponsor for the company’s privacy program. In some cases, that could be your CPO, but it could also be your CFO, CIO or general counsel.
Create a GDPR program steering committee. This should be a group of senior executives that have the resources to do what’s necessary to ensure comprehensive GDPR implementation, and are ultimately accountable for the delivery of the readiness program. This group includes key representatives from all affected areas, such as the heads of business lines, procurement, IT, legal, audit, finance, human resources. All must have a seat at the table, and must meet regularly to ensure communication and coordination. This group is not the “doers.” Rather, this group is comprised of the leaders who will identify workstream owners for each impacted program.
Establish a project governance framework. Now it is time to get more tactical. Create a governance document that outlines how the program will run, which will defines the structure around delivery of the program. It should outline how often the steering committee will meet, how committee members should report progress and problems, and set up clear communication channels. It should spell out who is responsible for carrying out each task, and how those tasks are going to be implemented. It should lay out roles, and provide for interaction between key functions, including the privacy office, the compliance team and the legal office. The framework should establish milestones and, where necessary, create sub-committees. In short, it should be a comprehensive guide for how your company works toward May 2018.
Identify privacy touchpoints in the organization. Once your oversight committee is in place, you need to start setting up workstreams. Because GDPR is a new regulation, there are no GDPR “experts.” It is not a job for your organization’s legal team. As noted above, you need buy-in across your company. Building the right team for the job means first identifying skill sets across the organization. You’ll need project managers, ideally one with experience managing governance, policy and security-related projects. You’ll need IT professionals with a background in compliance. You’ll need human resource managers, change managers, training and communications professionals.

Once your GDPR team and governance framework are in place, it’s time to start assigning specific projects, which will contain multiple workstreams. As you can see in the chart below, there are many moving parts in the journey to May 2018, and there will be some overlap among the workstreams, which will run in parallel across multiple lines of business and geographies. This graphic intentionally shows placeholders for Projects 3 and 4, illustrating how you'd need to identify workstreams before starting.

Because GDPR will impact so many areas of your business, it is vital to have a strong plan, to coordinate and communicate, and to ensure you have taken all the necessary preparatory steps that will enable success. Without defined roles, cross-functional buy-in, frequent touchpoints and clearly identified executives who will own the process, employees can lose focus. The stakes are too high to let any part of your GDPR preparations fail.

In our next post, we’ll discuss how to build an executable remediation plan for you GDPR readiness program.