Governance, Risk Management, and Compliance blog

GDPR: You Passed the Test – Now What?

[fa icon="calendar"] Friday, 16 February 2018 / by Jakob Holm Hansen

Picture this: it’s the end of May and you’ve managed to fulfil the criteria of the EU Data Protection Regulation - you’ve achieved GDPR compliance. But how do you make sure you stay compliant in the future?

No doubt the GDPR implementation project was big and required a team effort. There might even have been extra resources allocated, as everyone realised the importance of getting this right. But now that the deadline has passed, and the goal has been met, your co-workers need to get back to their day-to-day assignments. So how do you successfully maintain continuous GDPR compliance with half the people, and maybe even half the resources?

Lone Forland, Product Specialist and Training Excellence Manager, says the key is to create an annual cycle of compliance. “It’s easier said than done, and the thought of creating an annual cycle of compliance can seem a bit overwhelming, but it doesn’t have to be, as long as you start by breaking the project down into smaller components,” says Lone Forland.

GDPR Compliance - Step by Step

Lone Forland compares the situation to a cleaning project: “imagine that you have a to-do list that only reads: clean the house. It seems simple enough, but somehow you don’t know where to start, and the thought of having to complete the task seems impossible. However, if you break cleaning down into smaller components such as hoovering, dusting, doing laundry, etc., and then delegate some of them to others in the house, it suddenly seems doable.”

When setting up a continuous compliance project for GDPR, you can approach it the same way: instead of your to-do list simply reading GDPR compliance, break it into smaller components such as document processing activities, carry out a gap analysis, train and educate employees, etc. And these could even be broken down into smaller tasks if needed. More importantly, the individual tasks need to be delegated to the appropriate people, so that the entire project does not rest on the shoulders of a single employee.

Download our 7-step guide to implenting the EU GDPR

Integrating Your Annual Cycle of Compliance

Once you have an idea of what your GDPR project entails, the next step is to create a timetable for when each project needs to be carried out. Suddenly, your annual cycle of compliance starts to take shape. However, this is where you might run into obstacles such as lack of time, or conflicting time schedules. Lone Forland has outlined three tips to make sure the annual cycle is successfully established and maintained:

  • Coordinate: When delegating projects, it’s important to take the employees’ schedule into consideration. “For example, if the marketing department has an important campaign running in the spring, they’ll probably not prioritise a GDPR project during that time. It’s better to assign them GDPR related projects during some other time of the year,” explains Lone Forland.
  • Assign: Lone Forland stresses that it’s not enough to create an assignment; somebody needs to take responsibility for it: “opt-in tick-boxes on your website’s marketing forms? Assign it to Mark in marketing, and make sure Mark has the time and resources to maintain the forms, so that they always live up to the Data Protection Regulation.”
  • Re-use: Lastly, Lone Forland stresses that you should re-use existing procedures: “don’t build yet another silo of rules and processes. Make use of existing processes and departments wherever possible.  This minimises the amount of extra work created and makes the integration of GDPR related work more seamless.


Emner: compliance, GDPR

GRC blog

The NorthGRC blog offers advice and knowledge of effective information security management, security strategies, risk management, compliance with information security standards and other requirements, business continuity planning, ISO2700x, EU Data Protection Regulation, PCI DSS, etc.

Popular Posts