Well begun is half done.

— Aristotle

The volume of GDPR requirements and the changes they bring within an organization make compliance a daunting task. Basic filing and organization of personal information can trigger GDPR compliance, with data protection becoming an absolute necessity in era of fast-evolving digitization technologies and connectivity. In this chapter we discuss the frameworks necessary for implementing the regulation by creating a GDPR Compliance Department (or a GDPR Team for smaller businesses).

GDPR brings new standards of data protection, which are likely to be different from those provided under the Data Protection Directive. A business should abandon the DPD standards in assessing data-protection standards and adopt GDPR standards so that there is no gap in privacy measures. The guide provided in this chapter follows a Waterfall Model where each step of the implementation process is divided into pre-established phases, which are executed according to their timelines and scope.

10.1 Step 1: Establish a “Point Person”

One of GDPR pillars is accountability in processing, particularly by allocating liability clearly to Controllers, Processors, Subprocessors, and their foreign counterparts. Within an organization, categories of processing activities involve appointing a Data Privacy Officer (DPO)¹ to oversee the operation. This is also a reasonable business practice as processing sensitive personal data attracts ...