GDPR project management and deployment

Do you have a project?
Our experts will accompany you throughout your management and deployment

Whether you work alone;

Whether you work in a team;

Whether you are a service provider;

It is essential to ensure that your users’ data and all processing performed on it are GDPR compliant throughout the life of the project.

If, at launch or during the course of your business, you plan to launch/use a website or an application (mobile or tablet), here is a list of the six main steps to follow and implement for a privacy-friendly development within the meaning of GDPR.

1. Step One: Track and Manage Compliance

1- Make yourself aware of the main principles of GDPR

If you are working in a team, it is recommended to identify a person in charge of compliance management. To do this, you have two options:<


  • Appoint an in-house DPO
  • Choose to outsource the DPO role
  • Depending on your project and the data you collect, the appointment of a DPO may become mandatory. This is the case when you process so-called “sensitive” data and your data processing is “large-scale”.

    2 – Mapping and categorizing data and processing

    At each stage of your project and in a precise manner, record the processing carried out by your program, website or application. Thus, you will be able to ensure that your processing is done in compliance with GDPR.

    Keeping a processing register, in addition to being mandatory depending on the data you process, allows you to have a global vision on this data, to identify and prioritize them according to the risks associated with them.

    3 – Prioritization of actions and deployment

    Based on the register of processing that you have set up, you must identify upstream of development the actions to be carried out in order to make your project GDPR compliant. After the identification, you will prioritize the actions and points of attention that involve risks for the data subjects involved in the collection of this data.

    The points of attention include:

    • the need for and types of data collected and then processed;
    • the legal basis for those same data processing operations;
    • the information notices of your program, application or website;
    • the contractual clauses that bind you to your data processors;
    • the measures related to the security of your data that are put in place.

    4 – Risk management

    Among the personal data you process, some are likely to generate risks of varying degrees for the people they concern. You must then ensure that these risks are managed appropriately and in accordance with the context and regulations in force.

    In some cases, a Privacy Impact Assessment (PIA) is required. This analysis allows you to ensure that these risks are appropriately controlled. Note that a PIA is mandatory when you process so-called “sensitive” personal data (medical data, ethnic data, etc.), which are likely to involve high risks for the rights and freedoms of the people they concern.

    5 – Organization of internal processes respecting a charter

    In order to ensure optimal compliance throughout the various and different stages of your project, make sure that all your internal procedures guarantee that the protection of the data subjects’ data is taken into account, and this on all the different components of the project. Your internal processes should also contain a component related to external events that may occur:

    • Internal security breach
    • Security breach on a website or application
    • Request management
    • Access rights management
    • Change of service provider and data processors
    • Data theft
    • Consent gathering from data subjects
    • Etc.

    6 – Document your compliance

    In the event of an inspection, you will have to prove your compliance with GDPR, and this at each step of your project. All the actions carried out and future actions as well as the documents related to them must be legitimized, stored and easily accessible.

    To do this, you must present documentation that is up to date and consistent with your expectations and objectives in the context of your project and its deployment.

    2. Step two: writing and deploying deliverables

    As mentioned above, you need to “Document your compliance”, to show your credentials


    To comply with this, your file will need to include three main categories of documentation:

    1 – Documentation on your personal data processing

    • The processing register
    • PIAs, for so-called sensitive data that may involve risks to data subjects
    • The framework for transfers outside the European Union

    2 – Documentation on informing people

    • Information notices
    • The collection of consent from data subjects
    • ./li>
    • Procedures for exercising rights

    3 – Documentation on contracts defining roles and responsibilities

    • Contracts with data processors
    • The various internal procedures in the event of a data breach
    • Proof of data subjects’ consent (when data processing has this legal basis)

    3. Step three: bringing your processing operations into compliance

    1 – Identify all your processing

    Your Data Controller must keep an up-to-date data processing register, indicating for each processing:

    The purpose of the data collected:

    • The name and contact information of the Data Controller
    • The objectives of each processing operation with its own purpose
    • The data retention periods
    • The categories of data subjects (name, surname, address, telephone number, etc.)
    • Etc.

    2 – Sorted and up-to-date data

    When reading your processing register, you must be quickly able to define and identify whether:

    • Your data is necessary for the purposes you have set and therefore relevant
    • Your data is carefully categorized according to its nature with the aim of adopting and undertaking security actions adapted to the specific risks related to it (PIA on certain categories of data)
    • Your data is accessible to certain persons, internal and/or external, with a specific and supervised right of access
    • Your data is stored and archived with a set deadline that specifies exactly how long it will be kept

    3 – Informing people

    Every time you collect data, whether through a form on your website, through a remote service or during an oral communication, you must obligatorily inform the person concerned about the conditions of use of their data and their rights.

    In order for data to be “usable” by an organization, the data subject must first give their consent in a way that ensures that this consent meets the four cumulative criteria for consent. Thus, a data subject’s consent must be:

    • Free
    • Specific
    • Informed
    • Unambiguous

    4 – An organization that facilitates the exercise of rights

    All stakeholders (employees, subcontractors, contractors..) of an organization have rights over their data. Therefore, it is the responsibility of the Data Controller to allow these different people to exercise their rights in the simplest way possible:

    • Right of access
    • Rectification
    • Opposition
    • Portability
    • Limitation

    4. The role of DPO Consulting in the management and deployment of a GDPR project

    All our teams of experts are trained to work in project mode.

    Consequently, we are able to intervene at any time of the process to manage the compliance of an organization, whatever the size of the entity or its sector of activity.

    Our flexibility and our reactivity allow us to be part of the deployment of a PMEC (Compliance Action Plan) and of an in-depth audit carried out by us, by another company or by an internal DPO.

    If you want to know more about
    GDPR project management and deployment,
    feel free to contact us