Implementation of the GDPR using the certified TPF methodology

As such this is best compared to the process of implementing fiscal rules and regulations. Both GDPR accountability and fiscal accountability require the cooperation of all employees, the registration of each relevant occurrence, complete transparency and an iterative approach that is based on a Plan-Do-Check-Act cycle.

We have translated this cycle into a role-based GDPR implementation strategy, executed by the Inspector, Policy maker, Planner and Controller roles.



An informed impression of an organisation's GDPR context

Preliminary investigation

During the preliminary investigation, applicable laws and regulations are identified, as well as the locations of data files. Also, an inventory is made of the business processes involving (processing of) personal data.

This requires a three-step procedure in which the software applications being used in each department are identified, including the business processes supported by each application.


Documenting these processing operations is aimed at creating a ‘Register of processings’ which, apart from describing the objectives of processing, lists – among other things – all relevant filing systems and the name-address-city information of processors and third parties. This register is what, in the Planner phase, assigning privacy activities to specific processings will be based on.

Policy maker

Getting everyone on the same GDPR page

Mission and rules of conduct

The Policy maker phase is where, prior to drawing up the main objective planning, the privacy mission and associated privacy rules of conduct are defined. The result is a policy framework serving as a “compass” in assigning and carrying out privacy activities.

Main objective planning

The main objective planning, on the other hand, is driven by the results of a Privacy Quickscan survey conducted among stakeholders within the organisation. This planning outlines a general prioritisation of privacy activities to be carried out.


Assigning privacy tasks to members of the privacy team

In the Planner phase, focus is on assigning privacy tasks to members of the privacy team and on the subsequent performance of these tasks. The team is made up of employees selected on the basis of how well they are equipped to carry out the planned privacy activities, in terms of knowledge and skills. In total, there are 57 mandatory activities organisations are required to carry out under the General Data Protection Regulation. For each activity, frequency of performance and necessary means of proof are recorded.


Monitoring the timely, complete and accurate performance of privacy activities

The Controller phase is the final stage of the TPF methodology. In this phase, focus is on monitoring the timely, complete and accurate performance of privacy activities and iterative assessment of results from the previous Inspector, Policy maker and Planner phases. Iterative, because processing personal data is by nature subject to change, so the assessment needs to follow this same dynamic.

Any questions?

We will be happy to answer them.

Subscribe to Privacy Weekly
A privacy alert, blog post or white paper in your inbox every Thursday!

We use only functional and analytical cookies to ensure that we give you the best experience on our website. This means that our cookies do not collect personal data. Learn more.