The document outlines a project management approach for companies preparing to meet the EU's General Data Protection Regulation (GDPR) deadline of May 25, 2018. It recommends starting with a project charter that includes a statement of work, target schedule, and budget, followed by creating a project management plan detailing scope, deliverables, and risks. Key deliverables for compliance include a GDPR compliance manual, policies, procedures, and necessary documentation for internal audits and regulatory compliance.

1. April 4, 2018
Planning for GDPR
pm-workshops.com/planning-for-gdpr
The GDPR Plan:
Getting Started
Even though the implementation deadline for the EU’s General Data Protection Regulation
(GDPR) is fast approaching (25 May 2018,) there are still many companies of all sizes who
are not ready for it.
As a consultant working in the area of project management, I approach almost everything
as a project and recommend to my clients they do the same. The advantage of taking this
approach is that it can take something seemingly insurmountable and decompose it into
more manageable pieces. So, even with the looming deadline, start with a project charter,
such as the following example, which includes, among other things:
Statement of Work: Prepare the policies and procedures needed to abide by the
GDPR…
Target Schedule: by 25 May 2018
Target Budget: 200 staff hours or 20.000 €
Business Case: legal requirement for anyone working within the EU and/or managing
data of EU residents….
Other relevant information…
The project charter documents the amount of effort, time and cost required to get the job
done, which helps stakeholders better understand what is involved and how they can best
approach the actual project work.
1/3

2. The Project Work (The How)
Whether you are trying to meet the 25 May deadline or finish as close to that date as
possible, you need to create a PM Plan to get the work done. It does not need to be
anything more than a continuation of the project charter, but with the following additional
items:
Scope: add deliverables, such as the policies, procedures, etc.
Quality: as needed
Resources: staff, programs, materials (regulations, research, etc.)
Communication: meetings with key stakeholders throughout the process
Risks: such as missing the 25 May deadline (threat,) demonstrate compliance with
clients (opportunity,) etc.
Procurement: outsourcing to consultants, purchase materials, etc.
Stakeholder Management: current and potential new clients, regulators, etc.
Keep in mind that I am not suggesting preparing an extensive PM Plan; just enough of a
plan to make sure the key items are covered such as in the list above.
Deliverables (The What)
With the help of the WBS developed within scope and requirements management, we can
sort out the deliverables needed to comply with the GDPR, such as:
Procedures and policies incorporated into your company’s “GDPR Compliance
Manual,” including:
The Information Security Management System (per ISO 27000)
Policies for consent
Reporting breaches to the Supervisory Authority (SA)
Training Manual
2/3

3. Audit Plan and Schedule
Templates
Reporting breaches to data subjects, the SA, etc.
Contracts for data collectors and processors
Requirements Collection
Date request intake forms
Consent forms
Language versions of your policies (English, Spanish, German, Mandarin, etc.)
Other deliverables
These deliverables represent the guidelines needed to address the GDPR, as well as the
documentation needed for internal audits, as well as for demonstrating compliance should
there be a breach and the SA and/or legal and judicial agencies conduct their own audits.
By following this PMI Framework in managing projects, you will be able to ensure that the
facets of the GDPR are covered and that you performed due diligence in addressing this
new regulation. Both of these tasks are crucial should you have to go to the SA some day.
You will be glad you did!
Jorge Romero-Lozano, Dipl. Ing, LEED AP, PMP is a consultant working worldwide in the
fields of project and program management for diverse industries, including data security,
risk management, change and configuration management, and strategy planning.
3/3