1. Define the pilot project in house, preferably a member of the Executive Committee involved in company management who cannot be contested
2. Conduct an audit: preferably audits of personal data processing security measures
3. Do data mapping: where is the data? in the Cloud? in which part of the infrastructure?
4. Establish a timetable for compliance: define technical, organisational and legal actions
5. Establish a communication plan suited to the teams' businesses and the environment
6. Define a methodology for the various compliance players (legal department, compliance department, CISO/ISSO, marketing and communication department, etc.)
7. Select a methodology to deploy accountability: define pseudonymisation techniques, create a framework for data transfers, subcontracting, etc.
8. Define how data portability will be set up
9. Work to increase subcontractor obligations: What audit level? How to ensure data is returned and/or is no longer accessible at contract termination?
10. Implement an impact assessment methodology for the minimisation of collected data, the projects and aims to be determined, and security issues