How you and others can digest your GDPR project

“When eating an elephant take one bite at a time”.

This quote by the US Army General, Creighton W. Abrams is highly relevant to a GDPR project.* Breaking down your GDPR project into key deliverables will help you plan the work, understand dependencies, allocate resources and communicate to senior stakeholders the focus and scale of the project.

In order to define project scope and identify specific project deliverables, a holistic view is needed but seen from various perspectives. Borrowing a technique from MSP (Managing Successful Programmes) known as POTI analysis, you can identify GDPR impacts across the following dimensions and apply these to your organisation.

P - Processes, procedures and functions

O - Organisation, roles & responsibilities, staffing levels, skills and culture

T - Technology, tools, IT, applications, infrastructure

I - Information, data, documents

Before you do this, you might want to consider your level of compliance with existing data protection legislation, as mentioned in an earlier article. If you are already able to demonstrate compliance with say, the 1995 Data Protection Directive then you can focus on the impacts of the key changes the GDPR brings. If not, deeper analysis will be required. 

In addition to POTI analysis, consider taking a Product Based Planning Approach as advocated by PRINCE2 to pinpoint specific deliverables. Taking the requirement for Data Breach Notification as an example, the GDPR contains a definition of “personal data breach,” and notification requirements to both the supervisory authority and affected data subjects. This requirement has multiple impacts (very high level examples shown):

Process: Update existing process (if it exists) or define new process; consider interfaces to other processes; process implementation (decommission existing if not fit for purpose), etc.

Organisation: Process owner required; internal/external recruitment? existing role? define responsibilities; role-based training; communication of new process, etc.

Technology: What system may be needed to support the breach notification process: use existing or source new? Etc.

Information: Reporting (external/internal, formats); records format; statistics, etc.

POTI analysis involves collaborating with key stakeholders across the organisation to get the initial list of impacts, typically workshops and interviews. From there, specific deliverables (or products) can be identified and then a Product Breakdown Structure (PBS) produced (a basic example is shown below). The PBS is a great visual tool for documenting, analysing and presenting the specifics of your GDPR project.

The deliverables in your PBS can then be “scheduled” to form a GDPR Deliverables Roadmap - a visual representation of the what your project will be delivering between now and May 2018. The example GDPR Deliverables Roadmap below also includes some core project tasks and matches the four key areas I identified in my last post - GDPR Visual Game Plan: Gap and Risk Assessment, DP Governance Framework, Organisational Change Management, and Control and Policy Implementation.

Each deliverable is also described in the form of a “Deliverable Description” which also references specific parts of the GDPR pinpointing why the deliverable is required - this is always useful if a senior stakeholder claims "we don't need this and that". Key tasks and resources needed to produce the deliverable are also specified and then easily copied across to your detailed project schedule e.g. in MS Project.

My next post will focus on a pragmatic approach to mapping data flows.

* The concept of GDPR and elephants has already been written about elsewhere including a great article by Monique Altheim.

Get in touch

I help data protection leaders assess and improve their data protection program capability. Interested? Let's get on a call this week. I'll outline the approach in more detail.

Book a time now.