PM comes to the Project Sponsor , GDPR and GDPR
And here the trouble begins. Who in a large company will accept this hot potato? This is the first difficult decision. GDPR affects the entire organization, potential favorites are, depending on the organization, legal, compliance, security, IT departments , who will be the loser. I once saw a great picture online. It showed GDPR as an elephant and representatives of various departments touching individual parts, which was supposed to illustrate how they understand GDPR.
The whole truth… Everyone understands GDPR in their own way, because we are used to “taking care” only of our own backyard. This is my concern, and this is yours, I did my part. GDPR has shown denmark whatsapp data that such tactics will not work in this case. We are in the same boat, either together or not at all.
Okay, we have established that someone has to be the Sponsor and be the face of the project. It is a matter of compromise, everyone is important, but someone is the most important. The first success has been ticked off, we have it! For me, it is the compliance department. So I go to get the so-called project background and collect requirements. I have my questionnaire and I ask standard questions, i.e. what are the requirements, what needs to be done, what are the measures of the project’s success, what is our budget
, the deadline is known, so I will skip the question. The purpose of the project, we have to be GDPR compliant, but what does that really mean?GDPR and GDPR
I can't count the hours spent searching for a solution, best practices for approaching the subject and available materials. The Internet suggests that there is no proven approach, everything depends on the company, its culture, organizational structure, etc. I check the proposed approaches, waterfall is not, agile is not, so what? In this case, a tailor-made solution is needed. We have a regulation, but there are simply no requirements. Subsequent meetings do not move us forward, and I have to develop a plan, define specific tasks and answer the question of when exactly we will be GDPR compliant. I proposed a top-down approach, i.e. let's start with what we should have on May 25 to prove compliance to auditors.
It wasn’t difficult, because such materials had already been developed by the largest law firms, associations, etc. It was still not a specific plan, but a good start. I called the basic document a checklist , it was appropriately reworked with the sponsor’s participation and adapted to the company. Now I was able to assign specific points to the appropriate departments. I managed to convince the Management Board to take an unconventional approach, because a detailed plan was to emerge in the following months of work, when we would know what GDPR really is.
Analyzing the 250 activities from the checklist, I understood that the implementation of each of them involves the cooperation of various specialists. These are such small projects . I am establishing the so-called GDPR Working Group, a working group consisting of representatives of individual departments that I considered key. I have invited representatives of IT (architects, data governance, IT security), compliance, lawyer, HR, risk, finance, marketing, customer care, etc. We agree that we will meet in this group every 2 weeks to exchange information and look for common solutions.