The document discusses the General Data Protection Regulation (GDPR) and provides information to help organizations comply. It lists types of personal data covered by GDPR and outlines typical questions organizations may have. It also discusses developing an incident response plan for data breaches and following a process to understand how personal data flows within an organization. The final section presents options for managing a GDPR compliance project either internally or with external support.

1. General Data Protection Regulation - GDPR

2. GDPR – Strategic Change
▶ Ownership
▶ Priorities
▶ Communication
▶ Risk
▶ Time
▶ Cost
▶ Opportunity

3. Biometric
Data
Vehicle
Regn
IP
Address
Passport
Number
NI
Number
Email
Address
Full
Name
First
Name
Last
Name
Login
Details
(username)
Postcode
Genetic
Info
Birthplace
Date of
Birth
Digital
Identity
Credit
Card No
Telephone
No Workplace
Drivers
Licence
No
Cookies
Criminal
Record
Salary
Gender
Age
It’s all of the above

4. TIME
Awareness of
GDPR
Attend Public GDPR
events
Daunted by the scale of
GDPR
Start small with focused
workshop or live project
Implement a company
specific programme
Competitive Advantage curve
Early Adopters Early Majority Late Majority Laggards
Shock
Denial
Frustration
Depression
Experiment
Decision
Change success
Change curve

6. Typical questions for discussion
• What consent do I need?
• Do I need to get opt-in permission for existing
customers/prospects?
• What is legitimate interest?
• When do I have to be compliant?
• What data is included?
• How do I secure data in cloud software?
• What is the difference between business and personal data?
• How can I store data?
• What if I have printed data?
• Who owns the data?
• What level of security is needed for data and emails?
• What are my responsibilities for data shared with my supply chain?
• How can I do telemarketing?
• What is the impact for payroll and pensions for staff?
• What are the likely fines?
• How do I handle subject access requests and the confirmation of
identity?
• What level of education do I need for the company?

7. Breach Management
▶ Produce an incident management plan
▶ Communicate the plan to all staff
▶ Inform the team who to contact if they have concerns
▶ Ensure that all your suppliers / data processors have an equivalent plan (and that their teams
know about it)
▶ As controller you must ensure processors report any breach without delay
▶ Damage limitation on your brand / reputation
▶ Real life risks – malicious intent, human error, ambulance chasing,…

8. If you take one action away today we
would recommend starting with the
simple process outlined here to follow
data into your company to see:
• What personal data is taken?
• Who touches it?
• What gets done with it?
• Where is it stored?

9. One off meeting 1/2 days per week 3/4 days per week
Augmentum managed √
Company managed √
Augmentum managed √
Company managed √
Augmentum managed √
Company managed √
Project Governance √ √ √
Project strategy initiation to include data
mapping requirements, process review,
project communication, budget planning,
resource skill and availability
√ √ √
Project initiation and audit pilot /project to
complete data/process mapping. Process
assessment and adjustment
√ √√? √
Data policy drafting and sign off. Staff
communication, training. Consent wording
for all data capture methods
√ √√? √
Engaging/managing external experts for
legal, IT, etc √ √√? √
Supply chain requirements and contract
implementation √ √√? √
Project testing and review
√ √√? √
Ongoing review and audit √ √ √
GDPR services
The complex nature of GDPR projects requires the right initiation which will then advise on the budget and resources
required to work towards compliance. The matrix has been designed to give an oversight of the elements and a
recognition that there will be a mix of internal and external resources required.