Beyond assessments: Why project governance is key to GDPR success

Start adding items to your reading lists:
Save this item to:
This item has been saved to your reading list.


With less than one year to go, executives armed with General Data Protection Regulation (GDPR) readiness assessments and a long list of compliance gaps are well aware that compliance with the upcoming EU’s GDPR requires more than an ad hoc approach.

A solid project governance framework with cross-functional oversight and project plan is key to being able to methodically chart a journey that meets the business objective, whether that is minimal compliance or establishing a market differentiator in data usage and protection.

For companies doing business in Europe, the stakes are high. Regulators have indicated there will be no grace period for compliance with the new regulation. With fines of up to 4% of the total worldwide annual revenue for non-compliance and a looming prospect of consumer class actions, there is strong incentive to get it right from day one.

EU General Data Protection Regulation

Operationalizing the GDPR program

Over the next few months, through a series of brief articles like this, we will show executives how to pivot from the early “assessment” phase  -- determining current data practices, inventorying data and assessing  current capabilities -- towards solving the problem of “what now”: designing and operationalizing an ongoing program that allows for sustainable and demonstrable compliance through a project management framework. In these articles, we will address specific aspects of operationalizing the GDPR program, such as:

  1. Effectively building in cross-functional mobilization to GDPR compliance activities by identifying privacy capabilities and touch points across the organization and establishing a structure that won’t just coordinate remediation activities, but will also help drive them
  2. Leveraging GDPR gap assessments and data discovery activities to build an executable remediation plan with actionable and targeted work streams
  3. The “how-to” of GDPR compliance implementation: setting in motion GDPR components to remediate compliance gaps and establish a GDPR-ready privacy program
  4.  Ensuring the viability and ongoing operation of your GDPR program by May 2018 with mechanisms to promote accountability on a go-forward basis

The importance of the program management office

For many privacy leaders -- especially those rising from a privacy counsel background, launching a privacy PMO will require a big mind shift. There are three main reasons for this:

  1. Most GDPR programs involve at least 10 workstreams running in parallel across multiple lines of business and geographies. This level of coordination requires a level of project-management discipline exceeding previous privacy compliance initiatives.
  2. Several GDPR requirements directly impact the technology environment and marketing processes, requiring an unprecedented level of coordination and change management across functions and other in-flight enterprise initiatives.
  3. Because GDPR profoundly affects how companies can use and monetize personal data, there has never been a greater need to connect the privacy program with the executive leadership team and their plans for future products and services, strategic partnerships, and acquisitions.
GDPR Program Management Office design

The clock is ticking

That is why we believe establishing a strong program management function will be critical in the coming months to enable leadership to prioritize efforts, secure buy-in from cross-functional senior-level stakeholders, and ensure all related projects are coordinated.

With the clock ticking, organizations must approach the GDPR challenge with a broad perspective and a sense of urgency. If done correctly, companies can leverage their efforts in a way that not just ensures compliance, but improves their data protection and privacy in ways that create a strong brand around privacy protection in the marketplace and becomes a competitive differentiator. In subsequent blog posts, we will examine in depth specific parts of the journey. Establishing a solid project management framework is an important first step. 

Contact us

Jay Cline

US Privacy Leader, Principal, PwC US

Carolyn Holcomb

Privacy Assurance Leader and ESG Partner, PwC US

Jacky Wagner

Managing Director, Cybersecurity and Privacy, PwC US

John Mendon

Director, Enterprise Systems Solutions, PwC US

Follow us