Page 1

[Note: to choose a different table layout, click in the table, select the Design menu ribbon and choose a table style]

GDPR Preparation Project Plan NOTE: All tasks and resources assigned are approximations and will depend on the specifics of your project. If appointed, the Data Protection Officer may take the role of Project Lead. Ref.

Task 1

1.1 1.2 1.3 1.4 2 2.1 2.2 2.3 2.4 2.6 2.7 2.8

3 3.1 3.2 3.3 3.4 3.5 4 4.1 4.2 4.3 4.4 5 5.1 5.2 6 6.1 6.2 6.3 6.4 6.5 7 7.1 7.2 7.3 8 8.1 8.2 8.3 9 9.1 9.2 9.3 9.4 10 10.1 10.2 10.3

Main GDPR Reference

Effort (man-days)

Resource

Progress

Status

Project Manager, Project Lead Project Manager, Project Lead Project Manager Project Manager

0% 0% 0% 0%

Not started Not started Not started Not started

CHAPTER IV - Section 4 - Data protection officer CHAPTER IV - Section 4 - Data protection officer CHAPTER IV - Section 4 - Data protection officer CHAPTER IV - Section 4 - Data protection officer

Project Lead Project Lead, Senior Management Project Lead, Senior Management, Legal Senior Management Project Lead Project Lead Project Lead, Information Security Manager

0% 0% 0% 0% 0% 0% 0%

Not started Not started Not started Not started Not started Not started Not started

CHAPTER II - Principles CHAPTER II - Principles Article 6 - Lawfulness of processing Article 6 - Lawfulness of processing Article 30 - Records of processing activities

Project Lead Business Area Leads Business Area Leads, Legal Business Area Leads, Legal Project Lead

0% 0% 0% 0% 0%

Not started Not started Not started Not started Not started

Article 5 - Principles relating to processing of personal data Articles 13 and 14 - Information to be provided Article 7 - Conditions for consent Article 8 - Conditions applicable to child's consent

Project Lead, Business Area Leads, Legal Business Area Leads Business Area Leads Business Area Leads

0% 0% 0% 0%

Not started Not started Not started Not started

CHAPTER III - Rights of the data subject CHAPTER III - Rights of the data subject

Project Lead Data Subject Request Administrator

0% 0%

Not started Not started

CHAPTER IV - Section 1 - General obligations CHAPTER IV - Section 1 - General obligations CHAPTER IV - Section 1 - General obligations CHAPTER IV - Section 1 - General obligations CHAPTER IV - Section 1 - General obligations

Legal Legal Legal, IT Management Legal Human Resources

0% 0% 0% 0% 0%

Not started Not started Not started Not started Not started

CHAPTER IV - Section 3 - Data protection impact assessment CHAPTER IV - Section 3 - Data protection impact assessment CHAPTER IV - Section 3 - Data protection impact assessment

Project Lead Project Lead Business Area Leads

0% 0% 0%

Not started Not started Not started

CHAPTER V - Transfers of personal data to third countries CHAPTER V - Transfers of personal data to third countries Put in place agreements for international transfers of personal data (where required) CHAPTER V - Transfers of personal data to third countries Personal data breach management

Project Lead, Business Area Leads, Legal Legal Legal

0% 0% 0%

Not started Not started Not started

Create information security incident management procedure Create personal data breach notification procedure Conduct information security incident management training Test incident management and breach notification procedures

Project Lead, Information Security Manager Project Lead Project Lead, Information Security Manager Project Lead, Information Security Manager

0% 0% 0% 0%

Not started Not started Not started Not started

Project Manager, Project Lead Project Manager, Project Lead Project Manager, Project Lead, Business Area Leads, Legal, IT Management, Senior Management

0% 0% 0%

Not started Not started Not started

GDPR preparation project Perform gap assessment Gain senior management commitment Initiate project with appropriate resources and budget Establish document control

GDPR roles, awareness and training Conduct communication programme to suppliers and other stakeholders Define GDPR roles and responsibilities Identify lead Data Protection Supervisory Authority Appoint Data Protection Officer (if required) Conduct GDPR competence and training needs assessment Perform GDPR-related training and familiarisation Conduct GDPR and information security awareness training

Personal data mapping Conduct initial personal data information gathering exercise Perform audit of personal data by business area Identify lawful basis for processing personal data in each case Conduct legitimate interest assessments where required Identify record-keeping requirements and procedures

Privacy policies and notices Define personal data retention and protection policy Create or amend existing privacy notices Review and amend consent methods and procedures Address age-related consent and controls (children)

Rights of the data subject Create and implement data subject request procedures Start recording data subject requests

Controllers and processors Update contracts with processors to be GDPR compliant Distribute supplier questionnaires regarding personal data protection Provide information to controllers for whom we act as a processor Update contracts with controllers to be GDPR compliant Address employee confidentiality requirements

Data protection impact assessment Define data protection impact assessment process Conduct data protection impact assessment training Perform initial data protection impact assessment

International transfers Identify international transfers of personal data Assess legality of existing international transfers

CHAPTER IV - Section 2 - Security of personal data CHAPTER IV - Section 2 - Security of personal data CHAPTER IV - Section 2 - Security of personal data CHAPTER IV - Section 2 - Security of personal data

Project closure Repeat gap assessment to identify remaining non-compliant areas Address any remaining non-compliant areas Perform post-project review

Start Date

End Date

Profile for CertiKit Limited

GDPR-DOC-01-3 GDPR Preparation Project Plan  

GDPR-DOC-01-3 GDPR Preparation Project Plan  

Profile for public-it