How to budget for a GDPR project

How to budget for a GDPR project

How to budget for a GDPR project

If you have been to any conferences lately, looked at privacy websites or spoken to your trusted privacy advisor, you have probably heard with increasing frequency the following tune: the May 2018 deadline for the GDPR is approaching fast,  and you should be prepared and budget accordingly.

But what does this mean in concrete terms? Here are some tips on how to better estimate the costs of a GDPR project, breaking down the problem of budgeting into two clear steps.

First of all, what kind of changes should you expect?

The starting point for all budget planning is to understand the legal changes the GDPR will bring for your business. The GDPR brings a lot of changes for particular industries, for example, a change to the age that children can consent, which will be relevant for companies targeting children with their services or marketing. Other changes concern the definition of profiling and the right of data portability. Those types of changes have been described already in a lot of articles, such as the Bird & Bird Guide to the GDPR.   

Read Also:
2017 Trends in Data Strategy

Of even more importance from a budgeting point of view is the fact that the GDPR takes a fundamentally different approach to how privacy should be managed in an organization. Instead of relying on notifications of processing to data protection authorities, there will be many more obligations on organizations themselves to document data processing internally and manage risk accordingly. Organizations are accountable for implementing those changes, and many will need to appoint an internal or external data protection officer. The roles of processor and controller will change to some degree, which will necessitate changes to contract templates and potential renegotiation of contracts with vendors. It is advisable to address those changes via a privacy program with a special focus on GDPR. 

What will a typical GDPR project look like?

Typically, launching a GDPR project starts with a quite comprehensive privacy audit. The audit should look at least four areas of compliance: external communications, internal instructions, risk management and privacy processes, such as vendor management. External communications in this context means communications to consumers and customers as well as data protection authorities, commonly made through privacy policies or statements as well as consent forms. External communications need to be supplemented internally with instructions, for example by drafting a data-retention policy or policies regarding standard security measures. A very important part of any GDPR project should be risk management, in particular setting up a process that documents data processing and evaluates privacy risks. Where needed, this process will also lead to privacy impact assessments and subsequently decisions on risk by a competent body within the company.

Read Also:
Analytics-as-a-Service: turn your Big Data ambitions into action

 



Data Innovation Summit 2017

30
Mar
2017
Data Innovation Summit 2017

30% off with code 7wData

Read Also:
4 tactics that put data ahead of drama when making IT procurement decisions

Big Data Innovation Summit London

30
Mar
2017
Big Data Innovation Summit London

$200 off with code DATA200

Read Also:
The Potential for Blockchain to Transform Electronic Health Records

Enterprise Data World 2017

2
Apr
2017
Enterprise Data World 2017

$200 off with code 7WDATA

Read Also:
Social media data and the customer-centric strategy

Data Visualisation Summit San Francisco

19
Apr
2017
Data Visualisation Summit San Francisco

$200 off with code DATA200

Read Also:
4 tactics that put data ahead of drama when making IT procurement decisions

Chief Analytics Officer Europe

25
Apr
2017
Chief Analytics Officer Europe

15% off with code 7WDCAO17

Read Also:
Analytics-as-a-Service: turn your Big Data ambitions into action

Leave a Reply

Your email address will not be published. Required fields are marked *