Research purpose.
The primary objective is to create a proposal for a project on the implementation of GDPR into the process management of an organization. The secondary goals include an assessment of compliance with obligations under GDPR for the benefit of the analysed institution, as well as the identification of individual processes involving personal data processing across the organization.
Design / Methodology / Approach.
In the theoretical-methodological part of the paper, literary research was done through a comparison of expert texts by both domestic and foreign authors, including legal regulations, directives, internal resources, and data, etc. Empirical data and results were obtained from internal sources per the formulation of research questions and objectives, as well as applied scientific research analyses. In the analytical part, the qualitative and quantitative research methods, semi-structured interviews, questionnaire surveys, analysis of internal documents, data and results comparison, synthesis and deduction method, data audit, and GAP analysis were used. The significance and contribution of GAP analysis enabled the delineation of project scope and prediction of individual project activities for implementation of the project proposal.
Findings.
The semi-structured interview highlighted shortcomings in meeting requirements under GDPR. This finding was confirmed by analysis of internal documents and their comparison with information obtained in the theoretical part of the paper, which confirmed the absence of internal regulations for personal data protection and employee training. A questionnaire survey among employees revealed gaps in security and legal processes. Through data auditing and GAP analysis, weak points were identified between the planned and actual state of GDPR compliance within the organization´s established processes. The weaknesses revealed incomplete records of personal data processing activities, absence of data processing agreements, employee training, establishment of internal data protection processes, low level of implementation of legal and legislative regulations, and inadequate performance of the role of Data Protection Officer. The scope of the project proposal for achieving GDPR compliance was defined in 16 activities, including ensuring an adequate Data Protection Officer, avoiding excessive collection of unlawful and unnecessary personal data, and reviewing internal regulations. The project duration was planned for 72 days, or 52 working days in a calendar year, with a total cost of 1933,33 EUR. Based on obtained results, it can be concluded that the project is feasible, and the objective of the project was achieved.
Originality / Value / Practical implications.
In conclusion, it is ascertained that the objective of the paper has been achieved: the project proposal has been implemented into the internal regulations of the organization. This ensures that the Data Protection Officer is adequately positioned and that processes and internal regulations for the security and protection of personal data are in place. The economic added value of the project is a return on invested costs of training, while social value is in societal benefits for people, and efficiency of spent resources is ensured by the sustainability of the project beyond established processes, allowing for new inputs in future. The potential of the paper lies in focusing on the effectiveness of costs allocated to the project and the effectiveness of established processes in terms of resource use in personal data processing.
