May 25 marked the deadline for enterprises worldwide to comply with the provisions of the General Data Protection Regulation (GDPR). The sweeping regulation from the European Union (EU) is intended to revolutionize the relationships of data holders or processors and the people associated with that data (also known as data subjects). The GDPR protects the personal data of data subjects from the EU, including citizens, visitors and noncitizen residents, regardless of where their data is being held or processed — and penalties for noncompliance can be substantial.

GDPR conformance is a challenge for many enterprises, even ones with no current EU-resident customers or employees. Companies around the world will be affected if they hire employees with EU citizenship (including dual citizenship) — or if they ever develop customer or business-partner relationships involving EU citizens or residents.

But what is one of the hardest parts of getting ready (and maintaining readiness) for the GDPR? Knowing where to start. The obligations the regulation imposes could spark changes in nearly every part of your enterprise — from customer outreach via social media and data protection to archiving transaction records.

GDPR: Why Data Protection Is Difficult

Data, including personal data, is hard to control because it’s dynamic, distributed and in demand. As data grows, changes and multiplies, keeping track of it becomes more difficult. Your business can’t stop to reexamine and classify data every time a customer record is updated. (Learn more about how to accelerate your GDPR efforts.)

In the age of big data analytics, cloud computing and mobile access, organizations can struggle to keep track of all their data sources. Data is increasingly accessible — and in increasingly complex combinations. Due to this, figuring out every place you hold the personal information of even a single EU data subject is an enormous challenge — and with hundreds or thousands of customers, a vastly bigger one.

Preparing a Five-Phase Action Plan

Finding where your enterprise holds personal data, however, is just one aspect of reaching compliance. Discovering security risks to data stores, designing business processes that minimize data exposure, operating with privacy as a central concern and employing data protection tactics, such as encryption or pseudonymization, all help.

But compliance needs to go even further.

Under the GDPR, you may need to be ready to comply with the regulation by meeting data subjects’ requests to transfer or erase information that identifies them, or by providing documentation of compliance to auditors.

You need to map out a plan to follow a five-phase approach to compliance — no matter where you are in your journey:

1. Assess data holdings and vulnerabilities to know what data resources are affected.
2. Design intelligent systems to help ensure compliance.
3. Transform your business practices and operations.
4. Operate with privacy at the forefront.
5. Conform to legal requirements of the regulation.

For a regulation as complex as the GDPR, going at it alone can mean wasted time and uncertainty. Software tools, such as IBM Security Guardium Analyzer, can help you face these challenges with higher efficiency and accuracy, at a low cost and with minimal operational overhead — whether your data is on-premises or stored in the cloud.

Wherever you are on the road to GDPR readiness, there are steps you can take to help your enterprise find GDPR personal data, uncover risk and take action.

Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation. Clients are solely responsible for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect the clients’ business and any actions the clients may need to take to comply with such laws and regulations. The products, services, and other capabilities described herein are not suitable for all client situations and may have restricted availability. IBM does not provide legal, accounting or auditing advice or represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation.

Learn more about IBM’s own GDPR readiness journey and our GDPR capabilities and offerings to support your compliance journey here.