Regardless of whether it's a start-up, an SME or a corporate group, many processes start with an inventory. In the area of data protection and data security, too, the actual status quo of operational processes must first be determined, in other words: what are the legal requirements and where do we stand? The gap between the two is identified with a fit-gap analysis.
1. It starts with an inventory to find out how your company is positioned in data protection (don't forget data security!) & which tasks you have to complete by May 2018. This usually involves interviews with all contacts, e.g. department heads or C-levels (in the case of start-ups whose organisation is still clear).
2. Now all findings are analysed and evaluated to create a report with the most important measures (alternatively have it created). Always remember: Documentation is the be-all and end-all in data protection management and thus a core element of the fit-gap analysis.
3. Before you start implementing the identified measures, talk to the management.Who is responsible for implementing which measures? Keep an overview list or roadmap of the most important to-dos. Do not forget responsibilities and deadlines!
4. Then it's finally time for implementation! Update the lists of processing activities and data protection declarations on the website, check consents, contract processing and plan vulnerability analyses and system tests.Data protection training should not be missing to create the necessary "awareness" for the new EU data protection right from the start. And: Check the progress of the implementation, ideally weekly at the beginning, ideally in project meetings! The motto is: Stay on the ball!
5. But: It is not a matter of fundamentally turning the data protection culture in the company upside down from one day to the next. It is not for nothing that the GDPR finally introduces continuous and risk-based audit processes (PDCA). Identify risks.Document risks. Initiate measures. Get better step by step.