In the last two years, the Bull & Co technology team has performed a series of "GDPR reviews" for companies of all sizes and in various industries. We have found that some success criteria repeat themselves in the most successful projects. They are listed here:
The right team composition. When a business wants to exert control over which personal data it processes, certain key employees must become involved. If they are not, the result will be imperfect at best. The team's composition should be specific to the company, but should always include one or more employees from product/service, HR, marketing, finance and IT.
Rooted in management. A good result requires management's clear-and expressed- understanding that a good privacy practice is important to the business. Without crystal clear management support, team members are unlikely to participate with the necessary enthusiasm, and enthusiasm is a crucial ingredient in any privacy project.
Basic knowledge. The management, the team and eventually all other relevant individuals in the business need to have a basic understanding of the legal requirements and concepts related to personal information. This will ensure each individual's ability to contribute to the process (for example, by asking the right questions), and importantly: The process will be faster. Start with a one hour basic course for everyone involved.
Project management and legal expertise. Someone must be charged with the overall responsibility for having all the strings in one's hands and ensuring progress. It may be an internal or external resource. Also, be sure to have access to expertise within privacy legislation. Many questions that require legal clarifications will come up, and experience from handling similar issues is necessary to ensure a good result.