15980 - Project One GDPR Brochure RGB REVISED JAN 2018 v2


We believe GDPRmay be one of the strongest forces of change in business for a generation.

Trust in Transformation On 25th May 2018 the new General Data Protection Regulation (GDPR) will come into force signalling the arrival of the most all-encompassing privacy and protection legislation ever created.

25TH MAY 2018

A GDPR change programme will cut across every business unit and system, and will impact the vast majority of business processes. If you’ve already started on your programme, but are unsure whether it will deliver compliance for your organisation and within the required timescales, then talk to us. We can help you to assess your readiness and, if required, help to deliver your programme. Project One has expertise in engaging senior stakeholders and partners, managing complexity and bringing clarity and pace to this type of extensive change. “GDPR puts an onus on businesses to change their entire ethos to data protection.” Elizabeth Denham, UK Information Commissioner.

The regulation places the ownership of an individual’s data in their hands, which means businesses need to review and revise how they are holding and using personal data in every part of their organisation. It’s conceptually very simple - to focus on creating trust - providing for data privacy by design and by default. With that simple concept comes a raft of new requirements and a need in many businesses for a significant transformation across people, processes, technology and data. We believe GDPR may be one of the strongest forces of change in business for a generation. It will consume attention and resource, particularly if it is not managed properly.


Whilst the focus of attention has, understandably, been on the eye-watering sanctions that accompany the regulation, few businesses have yet given consideration to what the GDPR actually demands of them, let alone how to move towards compliance in their organisation. It's worth pausing here to state the obvious. Getting GDPR right, and building a new trust with your customers, can yield real opportunity. Getting it wrong will land your business on the wrong side of your customers, shareholders, the regulator and very possibly, the wrong side of the tabloids.

The Journal of Business Ethics describes trustworthiness as a “source of competitive advantage.”

In this document, we set out what needs to be done to address the GDPR requirements. Our recommendations are three-fold: talk to your board; talk to your lawyers; talk to us.

Talk to your Board All real change starts in the boardroom. Personal sponsorship from the 'top table' will be vital to driving the changes you’ll need to implement. Also, the regulation includes a new ‘accountability principle’ which requires you to demonstrate that you comply with the principles and states explicitly that this is your responsibility. Governance is a feature of the GDPR expectations. It's worth reflecting that amongst the numerous punishments the Information Commissioner’s Office can issue, the Regulator can impose fines of up to 4% of your annual global turnover.

To help frame the board discussion, we have devised a GDPR Readiness Executive Self-Assessment Tool, which you’ll find over the page.


Project One

Rate your business on a scale of 1 to 5 for each of the following 15 questions; (1 = no/don’t know, 2 = somewhat, 3 = aware but no action yet taken, 4 = plans in place, 5 = fully compliant).


1. ACCOUNTABILITY 1.1 Executive Accountability. Is your Board of Directors aware of the

GDPR requirements for the business and for their functional responsibilities? 1.2 Management Accountability. Does your business have a nominated data protection officer?

1.3 Individual Accountability. Does your business provide data protection awareness and instruction for all staff to ensure their compliance with the GDPR?

2. GOVERNANCE 2.1 Policy. Has your business established a data protection policy compliant with the requirements of the GDPR? 2.2 Data Held. Has your business catalogued all the personal data it holds, where it is held and how it is processed and/or shared?

2.3 Data Protection by Design. Has your business established a process to ensure new products, services or initiatives are privacy-proofed at the design stage?

3. PRIVACY AND CONSENT 3.1 Privacy Notices. Does your business have privacy notices readily available if needed?

3.2 Consent Management. Has your business established a process to gain adequate and informed consent, including the additional responsibilities where children's data is concerned? 3.3 Delivering Individual Rights. Is your business equipped to respond to individuals' rights to access, amend, export or delete their personal data within the required timescales? 4. HOLDING AND HANDLING DATA 4.1 Lawful Basis for Processing Data. Has your business confirmed it has a 'lawful basis' for holding and processing personal data under the GDPR? 4.2 Data Quality and Accuracy. Has your business taken steps to ensure all personal data is of sufficient quality and accuracy to make decisions about individuals?

4.3 Retention and Disposal. Has your business established a process to routinely dispose of personal data that is no longer required, in-line with agreed timescales?

5. DATA SECURITY 5.1 Security Policy. Has your business established an information security policy supported by appropriate security measures? 5.2 Data Transfers. Does your business ensure an adequate level of protection for personal data processed or held by others on your behalf, including data transferred outside the European Union? 5.3 Data Breaches. Does your business have in-place the capability to recognise, report and resolve a data breach?


If you scored fewer than 60 points, you have work to do and little time left to do it! Project One can help.


Talk to your Lawyers As with many regulations, full compliance will be a journey in which the end goals will change over time as the regulation is revised, amended and tested.

The regulation is far reaching and has a myriad of subtle implications making full and incontrovertible compliance a difficult concept to define, let alone comply with. In the time that remains before 25th May 2018, we strongly recommend that you consult your legal advisors to determine what your best legally defensible position is likely to be. Please note the phraseology here: “defensible position.” Applying the regulation in large, complex, global, data-rich organisations

will clearly require careful and thoughtful interpretation. Implementing a business change programme to achieve a legally defensible position and move towards full compliance, however, cannot be the preserve of the legal team, no more than it can be driven from IT. It must be driven from the CEO, via the COO, with input from the rest of the C-suite and support from a trustworthy consulting partner.



Project One

Talk to Us We can help you to: determine your level of preparedness to comply with the GDPR; review and assure your existing GDPR compliance programme; or work with you to shape, lead and deliver your programme.

Conduct an In-Depth GDPR Readiness Assessment – a tools-based readiness assessment will investigate each of the following four key steps:

Like every major change programme, there is a logical step-by-step approach that should be employed to ensure that each critical component is given due care and attention. The following actions are a good place to start: Conduct a Privacy Impact Assessment (PIA) – certain organisations are legally obliged by the regulation to conduct a PIA, but it is considered good practice for every company to do one - it will identify areas for attention and forms the basis for the business case for the monies needed to fund the change programme.

04 Do you have a lawful basis to use Personally Identifiable Data?


03 How are you

using Personally Identifiable Data?

02 Where is the Personally Identifiable Data located?

01 What Personally Identifiable Data do you hold?


Employ Threat Detection – the GDPR requires your organisation to inform the regulator within 72 hours of a breach. Timely detection will be key and organisations should consider deploying breach detection technologies. Examples of these are: network traffic management; database and content repository usage; user log-on profiling; dark web detection to identify if any of your data has already been compromised and is openly available for sale. Implement a Case Management Process – no matter what defences are employed, a data breach will always be a real threat. Over 90% of breaches happen internally, where employees have legitimate access to personal data but use it in a non-compliant manner, unintentionally or otherwise. You should build a case management strategy to address the likely breach scenarios. Together, these activities will enable you to work towards a GDPR defensible position, provide direction for your GDPR compliance programme and provide the basis for your ongoing annual GDPR audit.

The in-depth GDPR Readiness Assessment will deliver multiple valuable outputs: • Gap Analysis – People, Process, Technology, Commercial etc. • Review of Security - Policies, Process and Procedures • Data Use Case Management • Consent Management Actions • Technology Assessments • Business Process Assessment • Actionable Plan As a minimum, the action plan is likely to include the following: Provide Training – everyone in your business needs to be educated on what they can and cannot do with personal data, including executive certification training for the executive sponsor and key individuals. Establish Data Subject Access Request Management (DSAR) – DSAR management is likely to have the largest single long-term impact on most organisations. Having an effective DSAR process and a responsible person or team will be critical to responding appropriately to new consumer access rights.

One More Thing We strongly recommend...

...you register now with the Information Commissioner’s Office (www.ico.org.uk). It will be necessary to do so once the GDPR comes into force. The ICO also has a wealth of useful information and guidance on their website.


Project One

ABOUT US Businesses are facing an unprecedented level of change in areas such as digital technologies, IT transformation, regulatory impact, business separation, cost reduction or shared service transformation.

For many, delivering change of this scale and complexity is not a core capability. At Project One we’re passionate about helping ambitious organisations to meet the challenge of change. We specialise in dealing with the difficult, hard to manage aspects of change. We call it real change, and it’s all we do. We work with many of the UK’s largest organisations, helping them deliver business-critical change that makes a tangible difference to their future. Delivery usually involves distributed teams, multiple third parties and multi-million pound budgets with a high cost of failure. It’s complex, and it takes real experience.

Our team of change leaders bring expertise and leadership to deliver real change with greater certainty and pace. Project One is increasingly being asked to contribute in-depth information and insight expertise to enable clients to move faster than ever before to address their digital goals. We're already working with some of the world's most prestigious companies on their GDPR compliance and transformational business change.

“It was impressive how the Project One individuals came on board our fast-moving train. They plugged in our capability gap with specific skills and got up-to-speed very quickly. They turned up on Monday and started adding value by 10:00am.” Jonathan Manley, IT Director, Harrods “...it was a highly visible, regulated project, separating two regulated entities. We delivered on time and under budget, which is a great testament to the team and capabilities working on the programme. How Project One do things is key and you achieve that through the people. The team were motivated and worked hard.” Andy Maher, Head of IT, CFSMS, The Co-operative Group

If you would like to speak to Project One about how we can help you with your digital goals then please contact us.

 : +44 (0) 1477 544 462  : gdpr@projectone.com CONTACT:


Page 1 Page 2 Page 3 Page 4 Page 5 Page 6 Page 7 Page 8

Made with FlippingBook - Online Brochure Maker