by Kelly Martin

The Challenge

When the European Union introduced its General Data Protection Regulation (GDPR) in 2017, the impact traveled far beyond its borders. Like many U.S.-based organizations, a global philanthropic organization with EU sponsors and affiliates was racing to comply with the deadline. With just six months to go, the organization had assessed the GDPR's impact on business processes, policies and information systems. But it had yet to develop or execute on an actual work plan. Leadership engaged Point B to spearhead the compliance initiative, while minimizing operational impact on the life-changing humanitarian work it does every day.

Setting the stage to sprint

We brought Point B's signature project leadership together with our deep expertise in regulatory compliance to meet the fast-approaching GDPR deadline.

Our client had a strong IT team and Data Protection Officer from the start. We led sprint planning sessions with over 150 IT staff members and worked closely together to prioritize requirements, align resources, and create efficient work streams. To ensure that teams could stay on tight schedules, we identified issues upfront and established processes to mitigate risks. Our intense pre-work enabled teams to hit the ground running. Diligent monitoring kept everyone on track. We shared a compliance-tracking dashboard that made it easy for executives to see progress as teams moved the needle toward the compliance goal.

At the same time, we managed a number of complex legal matters that were critical to compliance, such as amending existing vendor data transfer agreements.

Communications and training were imperative, inside and out. We co- developed an online training course for the 550+ employees directly affected by the GDPR. We also educated EU sponsors and affiliates on our client's IT changes. Looking long term, we operationalized the processes, communications and training to further strengthen EU relationships. And we helped our client consider more binding affiliate relationships to increase compliance control and avoid stiff fines—up to 4 percent of revenues.

Advancing a global mission

Together with our client's internal teams and Data Protection Officer, we reached the finish line two days early. Our client's EU partners are now able to anonymize their data through a one-way, irreversible process. The organization has matured its security and privacy activities in ways that enable future scaling. By being a smart GDPR adopter, our client demonstrates the high value it places on the data privacy of the EU sponsors and affiliates, which is so vital to advancing its mission.