(This post contains affiliate hyperlinks. Please read my full disclosure.
GDPR was a once in a generation update to our data protection regulations. It has enormous implications for those who manage projects that store, process or capture personal data.
This article will discuss what project managers need to be aware of data protection.

Schrems II implications
What is GDPR?
Even if you aren’t in Europe, GDPR is relevant
What is Personal Data?
1. Who is your Data Protection Officer?
2. What is a Data Privacy Impact Analysis?
3. Will you transfer data outside the EU?
4. What does your Privacy Notice say?
5. What is the Data Retention Policy?
6. What impact does Right to Portability have?
7. Is your project dependent on profiling?
8. Are you using Opt-In Forms?
9. Can you find data in your new software?
10. What is the GDPR Risk?

GDPR and data privacy… it’s still not over, even though GDPR regulations have been in force.
Data protection is not an ‘all or nothing’ concept. This area of regulation is always changing.
Schrems II implications
As the ICO writes:
The Schrems II case judgment issued by the European Court of Justice Thursday 16 July 2020 ruled that Privacy Shield is no more a valid method to transfer personal data outside of EEA.

GDPR projects were all the rage for a while; you might have been involved in one. What does data protection look for project management, beyond the establishment of GDPR principles within your business? It is still relevant, even though we don’t talk about it every day.
What data protection considerations should you consider before a project begins? If you work in a PMO, this will also apply to your data protection considerations.
Below are 10 questions that managers should ask before starting a project. There’s also a short video below that covers some of the main points. Scroll down to see it.
Let’s start with the basics.
It is important to know that I am not a lawyer. This article does not constitute legal advice. I am just someone who has done extensive research on GDPR. Suzanne Dibble’s GDPR documentation pack is a great resource that I recommend. (More details at the bottom). Always seek advice from your legal team.
What is GDPR?
You have probably heard of GDPR, the General Data Protection Regulation which came into effect in Europe on 25 May 2018.
The Information Commissioner’s Office (ICO), ran campaigns in the UK to raise awareness and help businesses comply. Their guidance is still very practical and helpful.
Unless your management team has been living under a rock for a while, they will have worked hard to make your organization comply with the new regulations. The consequences of not being compliant can be severe.
GDPR is relevant even if you aren’t in Europe
Yes, this is the biggie.
Even if your personal data is not stored or processed by European individuals, even if you’re not located in Europe or you don’t work for a European company, you still have to comply with GDPR principles.
If your business develops new software, this is the simplest example. If you make it accessible online and allow people from all over the world to buy it, GDPR will apply to the way that you process data from your European customers.
It seems simpler to apply good data protection principles for all your customers, frankly. It is not worth trying to set up dual processes and have non-European or European individuals treated differently. They aren’t so burdensome – they aren’t.
What is Personal Data?
The ICO defines personal information as:
Information about a specific living individual.
This is a very broad list that includes:
Name
Address
Birth data
Location data gathered through browser history
As long as it can be linked back to a person, identification number, such as a customer number, is possible
Online ID