Running a GDPR project –Practical step by step guide

Step 1 -Records of Processing Activities

Start by documenting your Records of Processing activities, they are a key deliverable of GDPR and must be provided to the supervisory authority on request, but they also act as a perfect basis for your planning.

  • You will have consistency in response
  • It requires fewer hours/days analysis and you will be able to summarise it more easily

Step 2 – Define your lawful bases for processing

Now you have completed a first draft of your records of processing, you will be aware of all your purposes of processing. Assign a lawful basis to each of these, but remember that the lawful basis will differ depending on whether or not you are processing special categories of data or criminal convictions.

Step 2a Legitimate interest assessments

Next ensure you undertake and document Legitimate impact assessments (aka the balancing test) for all purposes you choose to use legitimate interests as a lawful basis for. If you find that your legitimate interests do not outweigh those of the data subject then go back to step 2.

Step 3 – Data Protection Impact assessments

Undertake DPIAs for areas where you identified risks when you did your records of processing – remember DPIAs are only needed where there is a high risk to the rights and freedoms of data subjects, the article 29 working party has issued some helpful guidance on this. Also document your DPIA process (outlining how to assess when it is required and how to do it) and review schedule. On the DPIA itself document a mitigation plan and separate solution requirements for risks identified, including consideration for third country transfers.

Step 4 – Data Subject Rights and Consent Management

Assess which Data Subject rights apply to your business, you can gauge these by looking at which lawful bases for processing you are reliant on and listing which data subject rights align to them. For example, SARs will apply to most organisations but portability only applies to organisations using performance of a contract and consent, so you don’t have to prepare for portability unless you are using a lawful basis affected.

Step 5 – Breach Framework

Define your breach framework, you need to be able accomodate the tight timeline for reporting a breach, so you must have the right processes to support this, including channels for breaches to be reported, a plan for quick assessment, people responsible for swiftly coordinating the escalation and response, templates for contacting the supervisory authority, just to name a few. I think this framework should look similar to a disaster discover/business continuity plan.

Step 6 – Record Retention

Define your retention periods based on a maximum time you will keep data rather than minimum. The GDPR sets out requirements for data minimisation and storage limitation but does not give you the periods. In order not to make this too complicated it is best to base retention on your purposes of processing, flagging exceptions only if necessary. Don’t dream of defining it by data field. Update your records of processing with the retention periods or logic.

Step 7 – Fair Processing Notices and Privacy Policies

Prepare your Fair Processing Notices and Privacy policies based on the information you gathered by completing your records processing, lawful basis for of processing and retention records. Decide how you are going to make these available to your data subject at the time you collect their data. Regardless of channel you should opt for layers of information so the data subject can delve to the level of detail that suits them (consent must always be upfront), don’t forget to consider minors. You will also need to document any requirements for third party responsibilities.

Step 8 – Solution options

Now you will have solution requirements gathered from the activities above. You can pass these to your technical team, but first supplement them with any additional requirements from GDPR principles article 5 and privacy by design and default, article 25. IT can start investigating solutions.

Step 9 – Third Parties

In the meantime start serious discussions with Third Party partners ensuring they will fulfil everything you have identified above. It is ok to talk to them before this point but the discussion won’t be meaningful unless you have a good understanding of your needs (the principle outlined in my first top tip blog explains this). Third party discussions will be supplemented by contract changes, so you will need to draw these up, along with data processing agreements. If you rely on third parties applications you would pass on your solution requirements.

Step 10 – Governance Framework

Document your governance framework including roles and responsibilities of the DPO and any support team. Here you may identify resource needs for your future operating model. This step should also include the updating of a company policies and reporting required to assess and evidence compliance in line with the accountability principle.

Step 11 – Solution Implementation

Once you have a clear idea of solutions, work towards implementing them. Where solutions cannot be automated revisit steps 4 and 5 to develop and embed manual processes where possible.

Step 12 – Training

Document your training plans and material based on the information you captured to date, roll out training.

Step 13 – Run a mock breach exercise

As per the title and update the framework if there are issues.

Step -14 – Start again

Not quite, but plan to review all of the above regularly. GDPR is for life, not just for May.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Dominga Leone CIPP/E CIPM

Dominga Leone CIPP/E CIPM

Dominga is business professional with extensive experience providing advice on Privacy, Operational Efficiency, Digital Change.