A FTSE250 Corporate Lawyer writes...
Who in your organisation is taking day to day ownership of management of the GDPR project? Is your COSEC function running the project (if so who?) or is it the wider legal team or does the project manager even sit outside of legal/cosec altogether?
Asides from your colleagues in HR, IT etc how many in legal or Cosec are assigned to it please and how far down the line are you?
There is a separate project team to run GDPR. There is an interim team of 3 under the project manager who reports to the head of facilities.
The working party c 15 in total has a rep from all businesss and support functions inc one from CoSec and legal
The working party reports to a senior management steering group
GDPR compliance is “owned” by our Corporate Risk Director working within our Cosec, Legal and Risk team reporting to the Company Secretary.
The GDPR Project is being led by the Group Company Secretary. A full time Programme Manager (in our Project Management team) has been assigned to work with the GCS and we have established a cross divisional cross functional Working Group.
Legal team members are part of the Working Group which includes representatives from IT, Marketing and HR (including representatives from these functions from EMEA, Americas and Asia). We started the GDPR project in early-2016 and so are reasonably well advanced across each of the areas.
As a consequence of the way our corporate functions are organised (small listed company, with minimal “head office” functions and considerable autonomy/responsibility for the operational divisions) the “owner” of the GDPR project is the Group Head of Internal Audit/Assurance, who works primarily with the IT directors the divisions, and with input from the Group Counsel/Company Secretary as required. So the “head office” team is a couple of people, with implementation of GDPR being the responsibility of the management teams of the divisions.
The plan follows what looks like a fairly standard process, and at the moment we are busy data mapping and sorting out what consents will be required.
Co Sec leads project, because Business Assurance reports in, which function includes Information Security and Compliance. One from legal team (we only have three lawyers!). Data mapping in progress, and assessment of quality of existing “consents” being reviewed.