Nymity has released the paper "From Privacy Project to Privacy Program."
What does it mean to move from a GDPR privacy project to a privacy program?
The GDPR came into effect on May 25, 2018. Leading up to this date, many organisations had determined that it would be practical to approach the many requirements of the GDPR as a “project” with various workstreams. To that end, project managers were engaged to assist with the compliance obligations, timelines and milestones in line with a project management methodology and an “end date” of May 25, 2018.
However, as is well known, May 25 was actually the start date, after which organisations had to be able to demonstrate GDPR compliance on an ongoing basis. After this deadline, Nymity began to see a theme emerging among our clients. Because of the GDPR’s heavy operational lift and the numerous workstreams that had been implemented for the May 25 deadline, many privacy officers were thinking about how they might leverage all of the work that was done in preparation for the GDPR. They wanted to do this in order to demonstrate an ongoing capacity to comply with the GDPR as well as potentially address legal compliance requirements with other laws (including the forthcoming California Consumer Protection Act1 and Brazil’s General Data Protection Law [LGPD]). Also driving this desire for harmonization of their compliance efforts were the 700+ privacy and data protection laws and regulations around the World that they were already grappling with prior to the introduction of the GDPR.