Project Plan

Achieving a level of "Security Maturity" and complying with modern data protection laws is going to take some effort. You must ensure that you have the correct tools and implement the things needed in an efficient and timely manner.

Using the Global Data Protection Management System (GDPMS) will make the implementation of your data protection and information security simple and effective, as well as efficient, we have done most of the organisational measures for you, out of the box - and built it all into one-place for timely management and overall simplicity.

This is where the "rubber meets the road" so to speak! Typical project management efforts come into play now. Select you budget, resourcing levels and duration. Increase any two to decrease the third item in the triad. You have other options too - use our project planning and implementation team or do it all in-house. 

The Plan


There are only a handful of tasks that need to be accomplished when using the GDPMS. This is because most of the work is already done for you - specifically the organisational measures - you will only need to implement or ensure the technical measures.

The timeline to complete this from start to finish will depend on the resources that are available to complete the "Implementation" item defined in step 3. The usual timeline is between 40 and 60 business days or 3 months.

Audits & Analysis

STEP 1 - Audits & Analysis

  • APPLICATION AUDIT: Identify which applications use Personal Data. (The Application Register - is provided in the GDPMS)

  • DATA AUDIT: Identify where your Personal Data is currently, who is using it, how it is used and how it was obtained. (The Data Flow Audit and Management system is provided in the GDPMS)

  • VENDOR AUDIT: Identify who the third-parties are that you may provide any personal data to and make sure that they have current agreements in place. (Vendor Management and Legal Agreements are provided in the GDPMS)

STEP 2 - Current Processing

  • PROCESSING REGISTER: Bring the top two items from Step 1 into the Processing Register to create relationships between the applications, data owners, processes and legitimacy of the data. (The Processing Register, LIA Register, DPIA Register, Legal Agreements etc. are provided in the GDPMS)

Policy & Implementation

STEP 3 - Review Frameworks, Policies, Standards, Processes, Procedures and Work Items

  • REVIEW: Your Information Security Management Framework and ISO Standards should be tailored to suite the risk appetite and security maturity of your organisation. (The Control Exception register and all the frameworks, policies and standards are provided in the GDPMS as defined in ISO 27002, ISO 29134, ISO 29151, ISO 15489, BS 10012, ISO 20000, ISO 31000)

  • POLICY SIGN OFF: A responsible owner needs to champion the Information Security Policies.

  • IMPLEMENT THE TECHNICAL MEASURES: These are defined in the Technical Measures Dashboard to show progress towards total compliance. The dashboard can be adjusted to suit the control exceptions defined above.

  • RISK ASSESSMENT: Data Protection Impact Assessments, Legitimate Interest Assessments (are provided in the GDPMS)

  • DATA SUBJECT REQUESTS & RESPONSE: Ready to go and managed in the GDPMS.

  • VENDOR/PROCESSOR AGREEMENTS: Update and sign-off on all your processor agreements. (This is managed in the GDPMS)


STEP 4 - Legal Entities

  • DEFINE: The legal entities, with locations etc. This will allow you to know which regulators you will be dealing with in any given circumstance. (This is a built-in function of the GDPMS)

  • CREATE: Create entity relationships using legal instruments to ensure the smooth legal flow of information between the entities. (All inter-entity and intra-entity relationships are managed in the GDPMS)

  • APPOINT: Your Data Governance Committee, Security Team, Chief Privacy Officer and DPO(s).

  • REGISTER: The DPO(s), your processing register (if necessary) and your responsible entity(ies) with the appropriate regulators (where required)

Staff & Contractor Training


STEP 5 - Educate & Train

  • TRAIN: Key staff in the use and handling of personal data.

  • UP-SKILL: Your DPO(s) using any of the great resources available from Data Protection*Services.

  • CERTIFY: Get your business certified as an EU or NON-EU Data Protection Compliant business.

  • ISO-CERTIFICATION: With some additional effort, your business will be well positioned to seek a full external audit for ISO 27001 Certification.

Review & Improve


STEP 6 - Ongoing Review and Improvement

  • CONFIGURE: The GDPMS to automatically manage all your Standards and Control Reviews.

  • EMPOWER: Empower people in your organisation to take responsibility for achieving data protection throughout the enterprise using the GDPMS automated task review register and built in processes.

  • MEET: Regularly meet with Executive and Senior Managers to report hot-spots and work with the Governance Committee to ensure ongoing compliance. (The GDPMS will provide custom reports for senior managers and the board)

  • REVIEW: Review your processes and procedures to ensure great business productivity and awesome data protection for your clients, customers, providers and staff.

Be the First to Know... Visit & Subscribe to our BLOG

Contact Us

This form is for general inquiries. If you are emailing about an existing case regarding a client that we represent, please reply to any of the email communications that you may have received from us about your matter. If you want to lodge a data subject request with a client that we represent, please visit the Data Subject Request form. You will need to know the Membership ID of the company that you would like to service your request. This information must be published on the contact page of our members website and in their Privacy Policy or Collection Statement.

If you wish to lodge a Data Subject Request regarding our service, our GDPMS ID is UK440000. Only use this code if the request is to be handled by us, that is information we have about you. If you would like to read our Privacy Policy and Collection Statement.










Maizieres Les Metz


Cirie TO



United Kingdom

71-75 Shelton Street

Covent Garden


+44 20 7442-5785

(207) 442-5785

United States

Suite 3377

304 S. Jones BLVD

Las Vegas NV 89107

+1 85 5577-8682

(US/Canada Toll-Free)








Full Service Regions


PO Box 834


NSW 2057

+61 4 6621-2726

(04) 6621-2726

Collection Statement & Privacy PolicyWebsite Cookie Policy | Support Desk

© 2010 - 2019 SPTG LLC, GDPR Forensic Limited. All rights reserved.

Data Protection*Services and are Trademarks of GDPR Forensic Limited (UK) and associated companies.

All prices on this website are EUR/EURO "€" unless otherwise stated.

The star logo and the DPO and CA seals are Trademarks of GDPR Forensic Limited,

unauthorised use is prohibited.