I’d like to start by saying that I’m allergic to checklists that claim they’re a one-size-fits-all for implementing the GDPR. Don’t fall for it guys. It really is too good to be true.
If you think you can just use a checklist to implement the GDPR, you’re wrong. Also, if you think ‘well, at least I’m getting a whole lot done’ you’re wrong AND taking a huge risk.
A risk of using checklists is that you’re wasting valuable resources (budget, people, equipment) doing things that may not apply to you or your organization. Another risk is that you’re not doing enough because no checklist (that doesn't have over a 1,000 to do’s on them) will cover everything. So in essence you could be missing important things that could result in high fines (check out my blog F is for Fines), or could be doing things you don't need and just throwing money away. Seems silly, doesn't it?
If you need medical advice, sure doctor Google and Web MD can provide a lot of information, but would you not rather know with more certainty that you’ve got a deadly disease or just a pimple? Hopefully, you’d seek proper medical advice from someone who actually studied for it. The same applies to GDPR. Everybody is an expert all of a sudden, but hardly anyone has actually read the GDPR law and recitals and all the other (mostly boring yet informative) articles and court rulings. And besides that, I’ve noticed that most lawyers that have a different specialty think that they can just take on the privacy law, but really can’t. Which means that you're not getting the right advice. And besides that, often times they’ll lack the ability to apply a risk-based approach and at the very least a practical approach. And yes, I myself am not only a certified DPO but also certified practioner in project management, program management, change management and risk management. And yes, I’m tooting my own horn here (but a girl’s gotta do what a girl’s gotta do), but boy does all this help when implementing the GDPR (and other standards), and it helps clients as well, who don’t have to hire different people when they can have an all in 1.
The GDPR requires you to document everything to show your accountability. All your plans should be documented as well, including your roadmap. Your roadmap should be an overview of what you’re planning on doing to become (and stay!) GDPR compliant and when you’re going to take action for specific tasks. You’ll need to first have done a baseline measurement (check out my blog B is for Baseline Measurement) to know where you are so that the GAP analysis can then show you what you still need to do. You should prioritize the actions accordingly. Here’s where you really do need expert advice from a proper GDPR consultant, because again you don't want to waste time (which is money too), budget and resources. Once you’ve prioritized them based on things like, availability of staff, cost of implementation and the expert GDPR advice, you can plan them in your roadmap and start implementing.
I offer regular GDPR Baseline Measurements and GDPR Quick Scans to help you set out your action plan. I’m also a certified professional who can help you at project and program level to implement the GDPR within your organization using a risk-based and practical approach. Contact me at Saskia.email@example.com" target="_blank" rel="nofollow noopener"> for inquiries.
Sign up for the 60 Day Privacy & Risk Challenge which starts February 3rd 2020.