June 5, 2018 By Grace Murphy 3 min read

May 25 marked the deadline for enterprises worldwide to comply with the provisions of the General Data Protection Regulation (GDPR). The sweeping regulation from the European Union (EU) is intended to revolutionize the relationships of data holders or processors and the people associated with that data (also known as data subjects). The GDPR protects the personal data of data subjects from the EU, including citizens, visitors and noncitizen residents, regardless of where their data is being held or processed — and penalties for noncompliance can be substantial.

GDPR conformance is a challenge for many enterprises, even ones with no current EU-resident customers or employees. Companies around the world will be affected if they hire employees with EU citizenship (including dual citizenship) — or if they ever develop customer or business-partner relationships involving EU citizens or residents.

But what is one of the hardest parts of getting ready (and maintaining readiness) for the GDPR? Knowing where to start. The obligations the regulation imposes could spark changes in nearly every part of your enterprise — from customer outreach via social media and data protection to archiving transaction records.

GDPR: Why Data Protection Is Difficult

Data, including personal data, is hard to control because it’s dynamic, distributed and in demand. As data grows, changes and multiplies, keeping track of it becomes more difficult. Your business can’t stop to reexamine and classify data every time a customer record is updated. (Learn more about how to accelerate your GDPR efforts.)

In the age of big data analytics, cloud computing and mobile access, organizations can struggle to keep track of all their data sources. Data is increasingly accessible — and in increasingly complex combinations. Due to this, figuring out every place you hold the personal information of even a single EU data subject is an enormous challenge — and with hundreds or thousands of customers, a vastly bigger one.

Preparing a Five-Phase Action Plan

Finding where your enterprise holds personal data, however, is just one aspect of reaching compliance. Discovering security risks to data stores, designing business processes that minimize data exposure, operating with privacy as a central concern and employing data protection tactics, such as encryption or pseudonymization, all help.

But compliance needs to go even further.

Under the GDPR, you may need to be ready to comply with the regulation by meeting data subjects’ requests to transfer or erase information that identifies them, or by providing documentation of compliance to auditors.

You need to map out a plan to follow a five-phase approach to compliance — no matter where you are in your journey:

  1. Assess data holdings and vulnerabilities to know what data resources are affected.
  2. Design intelligent systems to help ensure compliance.
  3. Transform your business practices and operations.
  4. Operate with privacy at the forefront.
  5. Conform to legal requirements of the regulation.

For a regulation as complex as the GDPR, going at it alone can mean wasted time and uncertainty. Software tools, such as IBM Security Guardium Analyzer, can help you face these challenges with higher efficiency and accuracy, at a low cost and with minimal operational overhead — whether your data is on-premises or stored in the cloud.

Wherever you are on the road to GDPR readiness, there are steps you can take to help your enterprise find GDPR personal data, uncover risk and take action.

Explore More Content

Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation. Clients are solely responsible for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect the clients’ business and any actions the clients may need to take to comply with such laws and regulations. The products, services, and other capabilities described herein are not suitable for all client situations and may have restricted availability. IBM does not provide legal, accounting or auditing advice or represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation.

Learn more about IBM’s own GDPR readiness journey and our GDPR capabilities and offerings to support your compliance journey here.

More from Data Protection

How data residency impacts security and compliance

3 min read - Every piece of your organization’s data is stored in a physical location. Even data stored in a cloud environment lives in a physical location on the virtual server. However, the data may not be in the location you expect, especially if your company uses multiple cloud providers. The data you are trying to protect may be stored literally across the world from where you sit right now or even in multiple locations at the same time. And if you don’t…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

The compelling need for cloud-native data protection

4 min read - Cloud environments were frequent targets for cyber attackers in 2023. Eighty-two percent of breaches that involved data stored in the cloud were in public, private or multi-cloud environments. Attackers gained the most access to multi-cloud environments, with 39% of breaches spanning multi-cloud environments because of the more complicated security issues. The cost of these cloud breaches totaled $4.75 million, higher than the average cost of $4.45 million for all data breaches.The reason for this high cost is not only the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today