A basic data protection project aimed at achieving company-wide compliance should begin with an initial GAP analysis to assess which documents, policies, and processes are already in place. Based on this analysis, existing gaps can be identified, and a structured project plan can be developed. The first step typically involves creating or updating the core data protection documents and foundational processes, laying the groundwork for further implementation and compliance.

The GAP analysis and assessment of the current situation are carried out through workshops, interviews, and the review and analysis of existing documents.

• Preparation and completion of the necessary data processing agreements (DPAs)
• Preparation and conclusion of the necessary contracts for the transfer of personal data within a group of companies
• Creation of a privacy handbook containing all required guidelines and processes, as well as the governance structure. The structure includes the responsibilities assigned to the respective roles within the company.
• Preparation of the list of processing activities
• Determination of the risk of data processing to the rights and freedoms of data subjects (Data Protection Impact Assessment – DPIA)
• Creation of a risk treatment plan with technical and organizational measures
• Creation and implementation of a testing concept to ensure continuous improvement of the level of data protection (PDCA cycle)

In practice, it is advisable to use a software solution from the very beginning of the project in order to create the required documentation and processes. This reduces implementation costs by lowering overall project expenses.