How CAPP Help You with Privacy Project Management

CAPP uses the Project Management Institute (PMI) and the International Association of Privacy Professionals (IAPP) Certified Information Privacy Manager (CIPM) method as our foundation for privacy project management. The CIPM is accredited by ANSI under ANSI/ISO 17024: 2012 and recognized worldwide through a multilateral agreement with the International Accreditation Forum (IAF). Using CAPP to meet your project’s goals and objectives will leave you better equipped to update existing policies and procedures, enhance your long-term data-protection strategy, support privacy-by-design in new products and services and be better prepared to respond to regulatory actions and implement sustainable practices.

Our strategy includes:
  • A comprehensive project plan that addresses and prioritizes compliance with each functional requirement outlined in your target privacy regulation.
  • Providing project management resources that ensure the effective and timely completion of project workstreams and that messaging is consistent internally and externally.
  • Ensuring your project’s goals are aligned with an overarching privacy program charter, company culture, and customer experience expectations.
  • Ensuring that legal/compliance, operational and technological considerations, and guidance are integrated with each applicable workstream, with particular attention paid to risk management and proper documentation of related decision making.
  • Producing accessible resources, guidance/advisement, reporting, and documentation throughout the engagement and ongoing support to the Privacy Officer or designate and their team.

While there can be a large number of workstreams taking place in parallel in a CAPP project, the work can typically be subdivided into four distinct phases. This initial phase consists of four important elements: 

  • The project has to be formally created and chartered.
  • Key external stakeholders, project sponsors, and a steering committee associated with the project are identified, including the funding source and key high-level management entities. We want to get a sense of client availability, as project success depends not just on finding the right stakeholders but also on using their time wisely.
  • A clear, written understanding of what our project management team is tasked with delivering has to be generated. This is the “deliverable” of this phase of the project and could be based on the potential workstreams identified in this proposal. At this same time, any specific high-level constraints (including max cost or schedule) and performance requirements, or other essential customer requirements must be defined and documented.
  • The project is kicked off and started.

The second primary phase of this project is where designing, unpacking, and planning take place. This is also the phase in which the Privacy Officer or sponsor is most engaged in providing direction and setting expectations. Tasks include:

  • Design, development, and approval of the project’s overall scope, quality requirements, and baselined budget and schedule.
  • Support for procurement, risk, execution, integration, and communication plans.
  • Determination of how the project workstreams will need to be staffed and the key goals to be addressed in each.
  • A plan for identifying, analyzing, and managing all external stakeholders’ expectations, both for, neutral, and against the project.

We like to get buy-in for privacy projects from stakeholders by selling it as more than just a compliance exercise and by emphasizing the customer experience.


This is the phase when creating project deliverables, transformation, and workstreams occur.

During the execution phase, the project also has to monitor and measure the work’s progress with Key Performance Indicators (KPI’s) and control changes to the work and plans. We look at this as a separate stage of work performed in parallel with the execution phase, but in practice, it’s indistinguishable from the execution phase.During this period, the projects’ primary functions include directing and managing the project staff’s work, managing and mitigating risks that threaten project success, and ensuring that external stakeholders are engaged appropriately and that their expectations are being met.


The last step of a project is the formal close-out of external and internal procurement efforts.

We deliver the project’s product scope to the customer (including formal sign-off for delivery) with a punch list that documents key lessons learned and then formally closes the project.