The document outlines a draft GDPR compliance program implementation overview. It includes a 6 month transition period to complete readiness. Key activities include system testing, deploying a data protection management system globally, training, and prioritizing long lead items. A transition team is identified and governance structure is defined. A transition methodology is provided which includes phases for planning, assessment, design, deployment, and handover. An implementation schedule and milestones are outlined. Risks are also identified and mitigation strategies proposed.

1. GDPR Compliance program
Implementation overview (Draft)
by Tolu Falusi
September 2017

2. Approach
• An estimated six-month transition period to complete compliance readiness
implementation.
• Assumption – December 2017 will be treated as holiday/ freeze period
• System Testing and Penetration testing (security system) will start +4months
and overlap to +5months followed by a go-go/readiness review and go-live in
+6months.
• Data protection management system (DPMS) will be deployed as a global
implementation.
• Priority will be given to Knowledge acquisition, training and long lead items
such as staffing.
• DPMS support will be deployed directly following testing and handover to
DPO/BAU.

3. Transition team
Account Executive
Security manager
Program/Transition Manager
Legal/Contract manager
Service delivery Manager
Tools Implementation
manager (DPMS)
Developers, architects,
storage/Web/DB/QA managers
Testing Manager
GDPR Internal compliance team
DPO
DPO to be on-boarded
during implementation

4. Governance
FrequencyForum Membership Level
Chaired by
PM
Membership
Executive Sponsor
Program Manager
Steering
Committee
Bi-Monthly
Chaired by
PM
Membership
Program Manager
Workstream Leads
Project
Office
Weekly
Chaired By
PM/ Workstreams
Membership
WorkstreamWorkstream
Ad-
Hoc/Daily

5. Transition Methodology
TRANSITION GOVERNANCE
PLAN ASSESS DESIGN DEPLOY HANDOVER
Create, document and
publish access,
consent & information
process flow for
subjects.
Complete staffing.
Implement Data
Protection solutions:
 Security measures
 Encryption/Pseudony
misation
 Subject rights
 New protection and
processing policies/
processes/DPMS
 Breach reporting flow
 Third party contracts
 Testing
 Go – live support
 Training/KB
 International working
Assess and present
go-live readiness.
Develop governance
plan
Approve
implementation plan
Design project logs
Conduct kickoff
sessions
Initiate long lead
time tasks –
recruitment
Initiate staffing with
HR
Initiate
communications
plan
Coordinate data
processing
analysis and data
flow assessment
Document gaps
and proposed risk
mitigations
Create DPIA
template, process
& execute
Baseline DP
measures in place
Document location
& personal data
processing activities
Create data subject
access, information
sharing process &
DPIA templates
Create breach
reporting template
Create test plan and
test team
Create standard
reports
Review and
approve security &
data protection
measures design
Take action to meet
GDPR requirements
Regular assessment
and testing
Initiate performance
reporting
Initiate support
Handover to – DPO
and BAU
Conduct closure
review and lessons
learned
QUALITY GATE
Project Plan
QUALITY GATE
Gap analysis Report
QUALITY GATE
Docs, processes
& DPIA template
signed off
QUALITY GATE
Go-Live
Readiness
QUALITY GATE
Handover
artefacts
GDPR
READY

6. Implementation Schedule
Month 1 Month 2 Month 3 Month 4 Month 5
Kickoff
Plan ApprovalPlanning
Gap ReviewAssessment
HR - Recruiting / Onboarding / KB/Training
Design ApprovedDesign
Go/No Go Decision
Deploy
Milestones / Gate Reviews
Service Commencement
System testing Test complete, system
ready
DPMS ELS supportGo Live
DPMS Integration
GDPR compliant
Readiness review
Month 6
DPO onboard
DPMS ready

7. Milestones
Ref Major Milestones Due Date
1 Kick off meeting Month 1
2 Implementation plan approval Month 1
3 Assessment report/ Gap Log review Month 2
4 Tooling (DPMS) live Month 3
5 Design approval Month 4
6 Staffing - DPO/KB/Training complete Month 4
7 Security system test Month 4
8 Deploy stage sign off Month 5
9 Readiness review/ Go-no-go Month 5/6
10 Go Live Month 6

8. Risk Mitigation Risk Avoided
1Staffing Engage HR team immediately after Charter is
signed and closely track on-boarding status for
immediate escalation and response.
HR staffing to meet implementation
timeline, risk of not having resources
available to meet Service
Commencement timeline.
2Data location &
processing
model
Initiate data discovery and mapping, document
findings, gaps and current data processing
model to use as baseline to kick off GDPR
compliance project.
Difficulty in locating data or account for
personal data.
3Schedule Detailed transition schedule will be developed
during planning phase of transition
incorporating all GDPR requirements and
managed throughout the transition. Long lead
items will be started early to reduce risks at
service commencement (DPMS, training,
testing, KT, etc.)
Lack of clarity on the planned
implementation of GDPR compliance
exercise. DPMS tool can impact on
transition timeline – in case there is need
to train agents for additional tool
4Knowledge
Transfer
Joint governance program established with third
parties during Transition to ensure effective
communication, collaboration and co-operation
between all parties
Existing service providers withhold data
information or key knowledge or become
uncompromising and declines access.
5Communication Thorough communication plan developed
specific to GDPR education and implemented
during the transition period
Communication to all staff, including
potential change to data processing
model, security updates and disruption of
service if expected.
Potential risks and mitigations

9. Thank you

10. European data protection board
Lead Supervising authority
(Information commissioner’s office)
Processors
Controllers
(Organisations)
Data Subjects
(Individuals)
3rd Parties
3rd Countries
(Data transfer
destinations)
GDPR Structure
European data protection board
Lead Supervising authority
(Information commissioner’s office)
Processors
Controllers
(Organisations)
Data Subjects
(Individuals)
3rd Parties
3rd Countries
(Data transfer
destinations)