Professional Documents
Culture Documents
5
International Data Protection Directive enforcement dates: CCPA 1 January 2020, GDPR 25 May 2018
Project Manager / IT Manager / CTO / Chief Digital Officer / CFO / HoS / Insert name
1-Jan-20 25-May-18 January 2021
ISO/IEC27001 Related
Activity Commencing Template Article Related CCPA Article Related GDPR Article Lead 1 2 3 4
Mandatory for ISO/IEC 27001 Mandatory for GDPR (Highlighted in Green)
(Hightlighed in Green)
1 IT Security Identification & Preparation IT Security Standards Compliance Kit CCPA Compliance Kit GDPR Compliance Kit
Set goals, which IT Security standard according organizational goals and data security
1.1 Gain insights in meaning and impact of IT Security Project Manager, Management
1.2 Gain insights in IT Security vs GDPR/CCPA similarities and differences Project Manager, Management
1.3 Perform IT Security compliance check Project Manager, Management
1.4 Perform gap assessment (Procedure for identification of requirements) Internal IT Security Gap Analysis ISO/IEC27001 §4.2 & A.18.1.1 Project Manager,Project lead
1.5 Gain senior management commitment Project Manager, Project lead
1.6 Initiate project with appropriate resources and budget Project Manager
1.7 Establish document control procedure Documentation Controller ISO/IEC27001 §7.5 Project Manager
3 Planning
3.1 Conduct initial personal information gathering exercise CHAPTER II- Principles Project Lead
3.2 Perform audit of personal information by business area Iso 27001 Internal Audit Checklist Article 24(2) Responsibility of the controller Business Area leads
3.3 Define or Amend Data Security Policy Data Security Plan ISO/IEC27001 §5.2 & 5.3 Article 24(2) Responsibility of the controller Project Lead
3.4 Identify lawful basis for processing personal information in each case Article 6 Lawfulness of processing, Article 30 Business Area leads, Legal
3.5 Conduct legitimate interest assessments where required Article 6 Lawfulness of processing Business Area leads, Legal
3.6 Identify record-keeping requirements and procedures (Data Retention Policy GDPR) Article 30- Records of processing activities Project Lead
3.7 Identify and dispose Irrelevant Personal Information and keep a log Article 6 Lawfulness of processing Business Area leads, Legal
5 Project closure
10.1 Repeat gap assessment to identify remaining non-compliant areas Project Manager,Project lead
10.2 Respond to complaints of data privacy breaches, etc Project Manager,Project lead
10.3 Address any remaining non-compliant areas Project Manager, Projectlead,
Project Manager,Project lead Business
10.4 Perform post project review Area leads, legal,IT Management,Senior
Management
ry 2021 February March April
Post
activity
5 6 7 8 9 10 11 12 13 14 15 16 17 Date XXX Date XXX