To implement a GDPR project with full control

A well-defined method and tools to ensure the right compliance level

At IT informa, we have completed several projects where regulatory requirements are governing. It can be regulatory requirements such as PUL, Patient data laws in different countries, etc., and now also the Data Protection Regulation (GDPR). What these projects have in common is that we work with a well-defined method and tools to ensure that we reach the right compliance level, but also that we maintain it during the life cycle. A way of implement GDPR with full control.

Implement a GDPR project

Projects follow specific phases that guide the process. These phases include documenting the current situation and defining the desired result. Next, we implement the necessary changes to achieve that result. Once we reach the desired outcome, ongoing changes in the business and external environment require solution adaptations. Managing the achieved result ensures the solution aligns with evolving conditions.

Feasibility study

The feasibility study collects and compiles detailed information about the current compliance level. This forms the foundation for deciding the necessary steps to achieve the desired result.

We look at several organizational factors, roles, processes and documentation that exist. Everything from a GDPR perspective. If we already comply with PUL today and/or for example ISO 27000, we have a shorter journey to complete. We map the data flows that exist to identify what is personal data and how it flows through the processes. Risk analyzes (PIA and DPIA) based on the analyzes are carried out. When this and much more is completed, there is a platform to start from.

One of the final steps in the feasibility study involves interpreting the law based on its impact on our organization. We identify relevant requirements and determine which parts of the GDPR do not apply to us. These interpretations are documented in Cockpit GDPR, providing an overview and control. This documentation helps us explain specific decisions during audits or reviews.

Once the interpretations are complete, we can compare them with the documented current situation. This identifies the actions needed to reach the desired position, forming a set of activities. These activities are then prioritized and included in a plan with resources and a budget. This process creates a solid foundation for starting implementation.

Implementation

The implementation can advantageously be divided into two phases depending on the nature of the business. The first part is to ensure that you reach a decided level to be able to continue in collaboration with other parties, for example GDPPR projects of customers or suppliers. For example, if you are a software company, there may be value in running certain parts together or in parallel with your customers.

Activities are consistently documented in Cockpit GDPR, maintaining clear traceability between legal texts, interpretations, and completed actions. This ensures comprehensive control over progress, pending tasks, and critical details such as estimates and relationships. During an audit, it is crucial to demonstrate the interpretations made and the actions taken to meet them. If implementation is incomplete, showing progress, remaining tasks, and expected completion dates is a strong advantage. This process effectively begins the management of our GDPR compliance level early on.

Mangement

It is not enough to run an implementation project and reach GDPR compliance level. It must be maintained. The world around us is changing, as are our own operations and the services/products we deliver. At some point there will be precedents that support a particular interpretation. This must of course be reconciled with our interpretation and our solution. Then it is nice to quickly identify which parts of our compliance solution it is hitting. Here Cockpit GDPR helps us to be in control.

With certain periodicity, we need to perform certain tasks, e.g. training, update/verify documentation, require new systems based on the GDPR perspective, etc. Cockpit GDPR helps us collect procedures, documentation, activities, etc. as well as remind us when it is time to implement these.

Cockpit GDPR

Cockpit GDPR is a tool that has greatly supported us in helping organizations implement compliance projects. It has been used in projects where requirements are based on regulatory demands, among other factors. The tool later serves as the operating system for administration and compliance departments. Both departments consider it one of their most essential tools for ongoing operations.

The GDPR currently consists of a number of articles which on 25 May 2018 will become law in some form. In addition to that, there are also considerations, investigations, etc. And once the law has come into force, there will eventually also be precedents. All of this is in Cockpit GDPR from the start.

Law and article database

Figure 1 shows the content of Article 7, Conditions for consent in the GDPR. In addition to the text, there are also links to related articles, consideration and when this happens, also precedents. These links are clickable and the user can easily navigate between them.

Metadata can be assigned to each article, interpretation, and activity alongside the content. Cockpit GDPR includes built-in metadata fields, with the option to create custom fields without programming. These fields enable advanced filtering and segmentation of content within the tool. This allows us to “zoom in” on specific areas, such as the current focus, for more targeted analysis and management.

Figure 1. Article 7, Conditions for consent in Cockpit GDPR

Interpretations and requirements

Figure 2. Example interpretation in Cockpit GDPR

Figure 2 presents an interpretation of Article 7 applied to a business context. This documentation is created during activities like feasibility studies. It outlines how the business chooses to comply with the legal text. Demonstrating decisions and activities undertaken to achieve compliance is crucial for potential audits. It signals and proves that the business maintains control and adherence to regulations.

In the Cockpit GDPR there are some general interpretations, but we believe it is important that the own business’s interpretations must permeate the work.

After finalizing and documenting the interpretation, we identify the activities needed to achieve the desired result. We group these activities into two categories: implementation activities and management activities.

Control of activities

Figure 3 illustrates a collection of implementation activities identified for the interpretation shown in Figure 2. Each implementation activity describes the task and allows assignment to a resource, estimation, and other details. Time reporting happens directly on the activity and aggregates across levels. This aggregated data appears clearly in dashboards for easy presentation.

Figure 3. Implementation activities in Cockpit GDPR

Cockpit GDPR – our support in the work

When we implement GDPR with full control with our customers, we use Cockpit GDPR with advantage. It is our tool for documenting the current situation, the interpretations and the activities during the preliminary study.

During the implementation, we use the cockpit to partly update status, used time, delegation, etc. on implementation activities, but also to quickly find connections, update changes in interpretations, etc.

In the administration mode, we use Cockpit GDPR to give us support and reminders in the periodic activities that will take place regularly in the future. But it is also a support when we have to develop and implement new services and products.

And above all, it is our support in audit/review occasions. Being able to quickly demonstrate control, structure and facts makes the work much easier. We implement GDPR with full control.

We can take snapshots at any time and export them in various formats for further processing. For activities, we design a workflow to route them efficiently through the business based on status, affiliation, and other criteria.

There is much more to show in Cockpit GDPR about how we can create and increase control over our GDPR implementation and management.

If you are also curious about how you can benefit from a tool that we have found very useful, do not hesitate to contact us.

GDPR

The General Data Protection Regulation, GDPR, is a new data protection regulation that will apply within the EU from 25 May 2018. The aim of the regulation is to strengthen the protection of personal integrity so that this fundamental right is in balance with other fundamental rights and legitimate societal interests. In addition to it, there will also be a new data protection law (Dataskyddslagen), which is Swedish additions to the GDPR.

Samuel Persson

Samuel has worked as a consultant for 30 years in a variety of industries and business areas. 
His professional network and his thorough knowledge are the basis for the several executive and board members roles he held.

More interesting articles…