Blog series on a software-driven GDPR Implementation Methodology


Are you aware that the 11 chapters and 99 articles of the GDPR hide 57 mandatory privacy activities?

They do exist! The Regulation, however, lacks an ‘instruction’ explaining what these activities are and how they can best be implemented in order to achieve GDPR accountability. 

In the coming months we intend to take you through the four-phased GDPR implementation process we have worked with during the past three years. Core to this process is that it embeds privacy activities into a management cycle.

In this blog series we will touch in more detail upon this implementation process, explain why we think a Plan-Do-Check-Act-based approach is important, and share the experiences gained using this process in our daily practice.

In the remainder of this blog we will address the need for a systematic, software-driven, and role-based implementation methodology.


One of the most common questions we have been hearing post May 2018 is: 

“How can I implement the GDPR in such a manner that GDPR compliance becomes an integral part of my organisation’s business processes?”

This question makes a lot of sense. It touches upon the core of the GDPR challenge, which is how to systematically embed GDPR compliance into an organisation. This is indeed quite a challenge and overlooked in many GDPR projects. The latter may not come as a big surprise. Projects have completion dates. Embedding processes in day-to-day operations in our opinion requires a  systematic, i.e. PDCA-based, implementation methodology.

Implementation process

Early in 2017 we started to develop such a PDCA-based implementation methodology in a ‘Software as a Service’ (SaaS) format. This approach, which since has become role-based, in our experience is best suited to address the complexities of the GDPR implementation process.

The roles identified are: ‘Inspector’, ‘Policy maker’, ‘Planner’ and ‘Controller’. In greenfield organisations, these roles are to be executed consecutively. In organisations already ‘GDPR compliant’ the roles can be used to audit and improve the actual GDPR compliance status.

  • Inspector phase

The Inspector’s job is to acquire an initial understanding of the organisation prior to starting the process of embedding the GDPR. To this end the Inspector needs to properly identify the organisation in terms of who is who, the applicable laws & regulations, the processing activities and potential data protection risks.

  • Policy maker phase

As Policy maker the main job is to create an internal data protection policy consisting of a privacy mission and rules of conduct. Together these constitute the collective compass needed to create the third policy component: an initial GDPR planning (PLAN) to be executed during the Planner phase.

  • Planner phase

The Planner’s job is obvious. He creates a detailed GDPR planning (PLAN), allocates the execution to privacy team members (DO), but leaves the executive management thereof to the Controller.

  • Controller phase:

The Controller’s job entails the monitoring of (CHECK), and advising on matters of implementation (ACT) during the realisation of the GDPR planning. Monitoring as in auditing the timely, complete and correct realisation of the allocated privacy activities.

In our next blog we will discuss in more detail how the Inspector role should be executed. We will especially cover the way in which the software and methodology help you to identify and collect the information needed to complete an online Record of processing activities.


Kind regards,

The TPF team

TPF Team

TPF Team

Recent publications

Privacy Weekly

Subscribe to Privacy Weekly and stay up to date on recent privacy trends and developments.

In search of

Free GDPR|Check

Connect with us

Subscribe to Privacy Weekly

Subscribe to Privacy Weekly
A privacy alert, blog post or white paper in your inbox every Thursday!

We use only functional and analytical cookies to ensure that we give you the best experience on our website. This means that our cookies do not collect personal data. Learn more.