June 5, 2018 By Grace Murphy 3 min read

May 25 marked the deadline for enterprises worldwide to comply with the provisions of the General Data Protection Regulation (GDPR). The sweeping regulation from the European Union (EU) is intended to revolutionize the relationships of data holders or processors and the people associated with that data (also known as data subjects). The GDPR protects the personal data of data subjects from the EU, including citizens, visitors and noncitizen residents, regardless of where their data is being held or processed — and penalties for noncompliance can be substantial.

GDPR conformance is a challenge for many enterprises, even ones with no current EU-resident customers or employees. Companies around the world will be affected if they hire employees with EU citizenship (including dual citizenship) — or if they ever develop customer or business-partner relationships involving EU citizens or residents.

But what is one of the hardest parts of getting ready (and maintaining readiness) for the GDPR? Knowing where to start. The obligations the regulation imposes could spark changes in nearly every part of your enterprise — from customer outreach via social media and data protection to archiving transaction records.

GDPR: Why Data Protection Is Difficult

Data, including personal data, is hard to control because it’s dynamic, distributed and in demand. As data grows, changes and multiplies, keeping track of it becomes more difficult. Your business can’t stop to reexamine and classify data every time a customer record is updated. (Learn more about how to accelerate your GDPR efforts.)

In the age of big data analytics, cloud computing and mobile access, organizations can struggle to keep track of all their data sources. Data is increasingly accessible — and in increasingly complex combinations. Due to this, figuring out every place you hold the personal information of even a single EU data subject is an enormous challenge — and with hundreds or thousands of customers, a vastly bigger one.

Preparing a Five-Phase Action Plan

Finding where your enterprise holds personal data, however, is just one aspect of reaching compliance. Discovering security risks to data stores, designing business processes that minimize data exposure, operating with privacy as a central concern and employing data protection tactics, such as encryption or pseudonymization, all help.

But compliance needs to go even further.

Under the GDPR, you may need to be ready to comply with the regulation by meeting data subjects’ requests to transfer or erase information that identifies them, or by providing documentation of compliance to auditors.

You need to map out a plan to follow a five-phase approach to compliance — no matter where you are in your journey:

  1. Assess data holdings and vulnerabilities to know what data resources are affected.
  2. Design intelligent systems to help ensure compliance.
  3. Transform your business practices and operations.
  4. Operate with privacy at the forefront.
  5. Conform to legal requirements of the regulation.

For a regulation as complex as the GDPR, going at it alone can mean wasted time and uncertainty. Software tools, such as IBM Security Guardium Analyzer, can help you face these challenges with higher efficiency and accuracy, at a low cost and with minimal operational overhead — whether your data is on-premises or stored in the cloud.

Wherever you are on the road to GDPR readiness, there are steps you can take to help your enterprise find GDPR personal data, uncover risk and take action.

Explore More Content

Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation. Clients are solely responsible for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect the clients’ business and any actions the clients may need to take to comply with such laws and regulations. The products, services, and other capabilities described herein are not suitable for all client situations and may have restricted availability. IBM does not provide legal, accounting or auditing advice or represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation.

Learn more about IBM’s own GDPR readiness journey and our GDPR capabilities and offerings to support your compliance journey here.

More from Data Protection

SpyAgent malware targets crypto wallets by stealing screenshots

4 min read - A new Android malware strain known as SpyAgent is making the rounds — and stealing screenshots as it goes. Using optical character recognition (OCR) technology, the malware is after cryptocurrency recovery phrases often stored in screenshots on user devices.Here's how to dodge the bullet.Attackers shooting their (screen) shotAttacks start — as always — with phishing efforts. Users receive text messages prompting them to download seemingly legitimate apps. If they take the bait and install the app, the SpyAgent malware gets…

Exploring DORA: How to manage ICT incidents and minimize cyber threat risks

3 min read - As cybersecurity breaches continue to rise globally, institutions handling sensitive information are particularly vulnerable. In 2024, the average cost of a data breach in the financial sector reached $6.08 million, making it the second hardest hit after healthcare, according to IBM's 2024 Cost of a Data Breach report. This underscores the need for robust IT security regulations in critical sectors.More than just a defensive measure, compliance with security regulations helps organizations reduce risk, strengthen operational resilience and enhance customer trust.…

Skills shortage directly tied to financial loss in data breaches

2 min read - The cybersecurity skills gap continues to widen, with serious consequences for organizations worldwide. According to IBM's 2024 Cost Of A Data Breach Report, more than half of breached organizations now face severe security staffing shortages, a whopping 26.2% increase from the previous year.And that's expensive. This skills deficit adds an average of $1.76 million in additional breach costs.The shortage spans both technical cybersecurity skills and adjacent competencies. Cloud security, threat intelligence analysis and incident response capabilities are in high demand. Equally…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today