Compliance-Driven Transformation

HEXO PARTNERS

Case Study

In 2017, one of the world's leading medical journals faced the impending challenge of compliance with the European Union’s General Data Protection Regulation (GDPR), set to take effect in May 2018. GDPR’s stringent requirements for data protection and privacy posed significant operational and legal implications for this non-profit, particularly due to its international subscriber base and the nature of its data handling practices. Penalties for non-compliance were significant enough to create organizational risk. The organization was 300 people strong, but no clear owner was identified for leading the project, and the decision was made to engage us to oversee the project end to end.

At the time of engagement, the organization's primary challenges included:

  • Hard Deadline: The risk of a hard deadline with significant penalties for non-compliance

  • Gaps in Data Flow Documentation: Identifying all locations, processes, and systems where Personally Identifiable Information (PII) was collected, stored, or processed.

  • Low Stakeholder Awareness: As a new regulation, GDPR's requirements and core principles, such as lawful processing, data minimization, and the right to erasure, were poorly understood.

  • Scope & Gap Analysis: GDPR’s applicability across the organization's products, services, policies, and procedures was unclear.

  • Coordination Across Teams: Functional groups processing PII were not collaborating across department lines.

1: Background

2: The Problem

3: Outcome

Significant milestones achieved by the GDPR enforcement deadline:

  • Deadline Met, Risk Mitigated: Full compliance was reached by the regulatory deadline, mitigating the risk of non-compliance fines.

  • Organizational Awareness: Leadership and staff gained a thorough understanding of GDPR’s requirements and their roles in achieving and maintaining compliance.

  • Policy and Contract Updates: Privacy policies, data-sharing agreements, and third-party contracts were revised to meet regulatory standards.

  • Sustainable Compliance Framework: The team established a governance model and routine processes for maintaining compliance, including handling data subject requests and regular audits.

Project Approach

Given the organization's proactive approach to compliance, we had ample time to plan the project and employed a structured, phased approach:

Phase 1: Organizational Awareness and Project Launch

  • Conducted education sessions with senior stakeholders to build buy-in.

  • Formed a clear governance structure, including steering, advisory, and working teams.

  • Initiated project kickoff meetings.

Phase 2: Discovery

  • Created a comprehensive data process register to identify all sources and uses of PII covering subscriptions, live events, and digital platforms.

  • Assessed the state of organization's data handling systems, third-party service providers, and data-sharing practices.

  • Conducted interviews to identify gaps and requirements

  • Socialized discovery findings across the organization.

Phase 3. Roadmap & Planning

  • Developed a prioritized list of objectives, including updating policies, handling data requests, revising contracts with third-party service providers.

  • In collaboration with working teams, established key milestones and a phased rollout plan for compliance efforts.

  • Built the overall project plan and socialized across the organization.

Phase 4. Implementation

  • Led cross-departmental working team meetings to coordinate the work.

  • Reported progress to the steering team.

In Project Management, "artifacts" are items or documents that provide evidence of progress, goals, and results of a project. Artifacts for this project included:

  • Mission and Scope Statement: A document developed with Leadership, articulating the project's objectives, scope, and high-level deliverables.

  • Steering Team Reports: Monthly updates to the Steering Team

  • Stakeholder Register: A list developed in collaboration with Leadership and department heads, listing project stakeholders and their roles and commitment for participation.

  • Project Requirements: An extensive document developed in collaboration with Subject Matter Experts (SMEs) and cross-functional reviews, describing operational and process changes required in order to comply with GDPR regulations.

  • Risk Register: Identified potential risks, their probability and impact, and mitigation strategies.

  • Work Breakdown Structure (WBS): Provided a hierarchical decomposition of the project’s tasks and activities.

  • Project Schedule: Detailed timelines, milestones, and deliverables for each project phase.

  • Data Process Register: Documented all data flows, sources, and processing activities involving PII.

  • Privacy Policy Updates: Worked with Legal team to update privacy and terms of service documents.

  • Training Materials: Worked with Content team to develop resources to educate employees on GDPR principles and compliance measures.

  • Third-Party Contract Amendments: Worked with Legal team to update agreements to include GDPR-compliant data protection clauses.

  • Change Management Plan: Outlined procedures for handling data subject requests and maintaining ongoing compliance.

Project "Artifacts"

Get in touch

Or inquire below

Book a brief call

© 2025. All rights reserved. Hexo Partners LLC.