GDPR Preparation Planning Gantt Chart

GDPR / Enforcement date: 25 May 2018, at which time those organizations in non-compliance may face heavy fines. We're here to help you become compliant.
Project Manager / DPO / Insert name
May June
Activity Week Commencing Example template Related GDPR Article Lead 25 W/C XXX W/C XXX W/C XXX

Enforcement date GDPR GDPR Complete Compliance Kit

1 GDPR Preparation Project

1.1 Inquire Third Party GDPR implementation (If required) Application Form GDPR Certification Project Manager, Management
1.2 Perform gap assessment GDPR Readiness Assessment Project Manager,Project lead
1.3 Gain senior management commitment Project Manager, Project lead
1.4 Initiate project with appropriate resources and budget Project Manager
1.5 Establish document control Documentation Controller Spreadsheet Project Manager

2 GDPR Roles, awareness and training

2.1 Conduct communication DP changes to suppliers and other stakeholders General Data Protection Notice Project Lead
2.2 Define GDPR roles and responsibilities Project Lead, Senior Management
2.3 Identify Lead Data Protection Supervisory Authority Project Lead, Senior Management, legal
2.4 Recruit Data Protection Officer (if required) Data Protection Officer Job Description CHAPTERIV - Section 4 Data protection officer Human Resources
2.5 Appoint Data Protection Officer (if required) Appointment Data Officer Letter CHAPTERIV - Section 4 Data protection officer Senior Management
2.6 Conduct GDPR competence and training needs assessment CHAPTERIV - Section 4 Data protection officer Project Lead
2.7 Perform GDPR related training and familiarisation CHAPTERIV - Section 4 Data protection officer Project Lead
2.8 Conduct GDPR and information security awareness training CHAPTERIV - Section 4 Data protection officer Project Lead, Information Security Manager

3 Personal data mapping

3.1 Conduct initial personal data information gathering exercise Data Audit CHAPTER II- Principles Project Lead
3.2 Perform audit of personal data by business area Appendix Iso27001 Internal Audit Checklist CHAPTER II- Principles Business Area leads
3.3 Define or Amend Data Protection Policy Data Protection Policy Article 24(2) Responsibility of the controller Project Lead
3.4 Identify lawful basis for processing personal data in each case Article 6 Lawfulness of processing Business Area leads, Legal
3.5 Conduct legitimate interest assessments where required Article 6 Lawfulness of processing Business Area leads, Legal
3.6 Identify record-keeping requirements and procedures Internal Audit Procedure Article 30- Records of processing activities Project Lead
3.7 Identify and dispose Irrelevant Personal Information and keep a log Information Assets For Disposal Log Article 6 Lawfulness of processing Business Area leads, Legal

4 Privacy policies and notices Article 5 - Principles relatingto processing of personal

4.1 Define personal data retention and protection policy Data Retention Policy data Project Lead, Business Area Leads, legal
4.2 Create or amend existing privacy notices Privacy policy Articles 13 and 14 - Information to be provided Business Area leads
4.3 Review and amend consent methods and procedures Data Subject Consent Form Article 7 - Conditions for consent Business Area leads
4.4 Address age related consent and controls (children) Parental Consent Form Article 8 - Conditions applicable to child's consent Business Area leads

5 Rights of the data subject

5.1 Create and implement data subject request procedures Data Subject Change Request Form CHAPTER Ill - Rights of the data subject Project Lead
5.3 Create and implement data subject consent withdrawal form Data Subject Consent Withdrawal Form CHAPTER Ill - Rights of the data subject Data Subject Request Administrator
5.4 Create and implement parental consent withdrawal form Parental Consent Withdrawal Form CHAPTER Ill - Rights of the data subject Data Subject Request Administrator
5.5 Start recording data subject requests Data Subject Access Request Procedure CHAPTER Ill - Rights of the data subject Data Subject Request Administrator
5.6 Create and implement User Deletion Request Policy User Data Deletion Request Form CHAPTER Ill - Rights of the data subject Data Subject Request Administrator
5.7 Create and implement Data Subject Access Request Form Data Subject Access Request Form CHAPTER Ill - Rights of the data subject Data Subject Request Administrator

6 Controllers and processor

6.1 Update contracts with processors to be GDPR compliant CHAPTER IV- Section 1 - General obligations legal
6.2 Distribute supplier questionnaires regarding personal data protection Supplier Data Processing Agreement CHAPTER IV- Section 1 - General obligations legal
6.3 Provide information to controllers for whom we act as a processor CHAPTER IV- Section 1 - General obligations legal,IT Management
6.4 Update contracts with controllers to be GDPR compliant Standard Contract Clauses Data Transfers CHAPTER IV- Section 1 - General obligations legal
6.5 Address employee confidentiality requirements CHAPTER IV- Section 1 - General obligations Human Resources
6.6 Create and implement Bring Your Own Device Policy Bring Your Own Device Policy CHAPTER IV- Section 1 - General obligations Human Resources

7 Data protection impact assessment CHAPTER IV - Section 3- Data protection impact

7.1 Define data protection impact assessment process DPIA Register assessment
CHAPTER IV - Section 3- Data protection impact Project Lead
7.2 Conduct data protection impact assessment training Data Protection Impact Assessment assessment
CHAPTER IV - Section 3- Data protection impact Project Lead
7.3 Perform initial data protection impact assessment DPIA Register assessment Business Area leads

8 International transfers CHAPTER V - Transfers of personal data to thind

8.1 Identify international transfers of personal data countries
CHAPTER V - Transfers of personal data to thind Project Lead, Business Area Leads, legal
8.2 Assess legality
Put in place of existingfor
agreements international transfers
international transfers of personal data (where countries
CHAPTER V - Transfers of personal data to thind legal
8.3 required) International Transfers Personal Data Proces countries legal

9 Personal data breach management

9.1 Create information security incident management procedure Data Breach Response Notification Procedure CHAPTER IV-Section 2 - Security of personaldata Project Lead, Information Security Manager
9.2 Create information security incident management register Data Breach Register CHAPTER IV-Section 2 - Security of personaldata Project Lead
9.3 Create personal data breach notification procedure (Data Subjects) Breach Report CHAPTER IV-Section 2 - Security of personaldata Project Lead
9.4 Create personal data breach notification procedure (Supervisory Authority) Breach Notification To Supervisory Authority CHAPTER IV-Section 2 - Security of personaldata Project lead, Information Security Manager
9.5 Conduct information security incident management training CHAPTER IV-Section 2 - Security of personaldata Project lead, Information Security Manager
9.6 Test incident management and breach notification procedures CHAPTER IV-Section 2 - Security of personaldata Project Lead, Information Security Manager
9.7 Create business continuity plan or disaster plan in case of crisis Disaster plan CHAPTER IV-Section 2 - Security of personaldata Project Lead, Information Security Manager
9.8 Inform the data subjects that were exposed to data breach Breach Notification To Data Subjects CHAPTER IV-Section 2 - Security of personaldata Project Lead, Information Security Manager

10 Project closure
10.1 Repeat gap assessment to identify remaining non-compliant areas GDPR Readiness Assessment Project Manager,Project lead
10.2 Respond to complaints of data privacy breaches, etc Privacy Complaint Response Letter Project Manager,Project lead
10.3 Address any remaining non-compliant areas Project
Project Manager, Project lead,
Manager,Project lead Business Area leads,
10.4 Perform post project review legal,IT Management,Senior Management

Check out a solution for all documents you need: GDPR Complete Compliance Kit
t.

June July August September

W/C XXX W/C XXX W/C XXX W/C XXX W/C XXX W/C XXX W/C XXX W/C XXX W/C XXX Date XXX Date XXX
 September
Post activity
Date XXX Date XXX Date XXX