Skip Ribbon Commands
Skip to main content

NNIT's GDPR Agile Delivery Model

​While the May 25 GDPR compliance deadline has passed, there are still companies who are not fully GDPR compliant. Currently, we are meeting customers that fall into one of these three categories:


    1. DPIA completed and a good understanding of pain points. Initiated one or several solution projects.
    2. These types of customers are typically asking NNIT for sparring and advice on solutions and approaches and help in facilitating vendor discussions.
    3. This category of customers can be further divided into 2 categories of companies that either want to implement a minimum level of policies, procedures, technology, and governance or companies that are using GDPR as a chance to redo all of their control areas.


Fig 1: GDPR Controls Spider Web


    1. These customers have completed a DPIA and have an idea of their key pain points, but they are struggling to find their way forward into the solution phase.
    2. NNIT is helping them with advice, vendor/solution selection, and advice across the entire technology stack as well as ensuring that decisions made in the business (process optimization, for example) are accounted for within the technology and solutions areas.


    1. These customers cannot see a clear overview of the pain points, are not sure what technical controls they have in place, and are not sure what to do next.


NNIT's DPIA methodology and tool includes stakeholders from business, IT, and Legal, and NNIT's GDPR Agile Delivery Model is no different. The right hand (business), the left hand (technology), and the middle (governance) have to work together and the only way to come within striking distance is to go Agile with very few days remaining until May 25.

Usually we start customers up in Step 2 and 3 simultaneously, running short sprints (1 week), and ensuring that decisions or outcomes from these steps are continuously checked against any new findings/risks from Step 1.

           Fig 2: GDPR Agile Delivery Model


  • Review of data mapping – processes/systems/PII data/data processors
  • Conduct new data/additional data mapping, if required
  • Ensure IT and Legal validation included in data mapping
  • Identification of the pain points and candidate solutions (new and existing)



  • High-level plan for actions for in scope control areas: business cases (Scope/Cost/Schedule/Benefits)
  • Solution design workshops: Impact analysis on the potential consequences of the identified risks and minimum security requirements
  • "Tough Prioritization" – isolate or kill systems and processes that can't be saved – plan their retirement
  • Create a work breakdown schedule as well as the estimation and planning for the Implementation phase – aligned with risk appetite
  • Each solution track must have SMART goals – (specific, measurable, assignable, realistic, and time-related)
  • Organizational change management: Communication, awareness, training, etc. Ensure your employees know how to respond to customers and find relevant GDPR resources and information.
  • Feedback into Step 1 – ensure that actions will mitigate gaps/pain points – feed forward into Step 3.



  • Looking to implement platform solutions over application solutions – closing several gaps all at once
  • Compliance governance – how are you going to handle requests from data subjects and authorities pre and post May 25
  • Review of processes for compliance: legal basis, data proportionality, etc.
  • Data processor agreements in place and updated
  • Rights of the data subjects: data discovery, retention, portability, and deletion
  • Ensure detection and breach processes are ready to be used and tested
  • Feedback into Step 1 and 2 – ensure that implemented solutions mitigate gaps and, if not, decide on what else needs to be done.

NNIT is ready to help you through these 3 steps. As a full service provider, we have management consultants, technology consultants, and a wide range of vendors and suppliers that can help kick-start your GDPR program. Below are some key takeaways that we would like to leave you with.



  1. This process must be Iterative and Risk Driven and involve business, IT, and Legal
  2. Only you can define "state of the art" and "appropriate solutions" (article 32)
  3. Each track must have SMART goals
  4. Data Subject Rights: before you act – authenticate the data subject – if you deliver data or delete data of the wrong data subject, you are no better off
  5. Engage with your current technology vendors – can they help?
  6. Manual processes are as valid as automated ones – just ensure that there is a clear audit trail


If you would like to learn more, please reach our to Steve Peacock, Consulting Director & GDPR Offering Lead at or +45 30778428.



Steve Peacock+45 30778428sepc@nnit.comGDPR Consulting Director Peacock



Infosecurity 2020 2020
Are you prepared to protect your business-critical IT? you prepared to protect your business-critical IT?
Are you prepared to protect your business-critical IT? you prepared to protect your business-critical IT?
Protect your gold: How to avoid your data ending up in the wrong hands your gold: How to avoid your data ending up in the wrong hands
How scammers attack your company using CEO fraud scammers attack your company using CEO fraud
VR Cybersecurity Training Cybersecurity Training
Cloud Security Security
Identity & Access Management & Access Management
Managed Security Security