Light Dark
January 16, 2018 By Adam Nelson 4 min read
Data Protection

Here we are at the beginning of 2018. And with the start of a new year, we often find ourselves thinking about making changes both big and small. So it seems especially fitting to turn our attention to the Transform phase of the IBM Security General Data Protection Regulation (GDPR) framework.

The goal here is to reach at least a minimum level of readiness before GDPR comes into effect on May 25, 2018. Ideally, that would include being ready to produce a privacy risk impact assessment. That’s one of the first items a regulator is likely to want to see — along with the assurance that you have validated processes and activities in place to sustain or refresh its status.

A secondary goal would be to demonstrate your readiness to address the GDPR Article 30 requirement for records of processing. To do so, you would need to at least be able to provide a summary inventory or catalog of the personal data that’s relevant to your business — including information about where it’s stored and processed and its lineage.

ASSESS THE PROGRESS OF YOUR GDPR JOURNEY WITH YOUR PERSONALIZED GUIDE TO GDPR READINESS

Start Slowly

In our two most recent blog posts, we discussed the process of deciding what you need to do and how you can do it. You’ve made some of the important decisions and it’s likely you’ve developed a plan. Now you should be ready to start implementing that plan. Note that I used the word “start.” That’s because the Transform phase is all about beginning to make your transformation toward GDPR readiness. It’s a slow and controlled rollout that allows you to take an incremental approach to making the changes you’ve deemed necessary.

Clearly, it’s not time to flip the switch just yet. But it is a good time to recognize that there may be problems. In fact, that’s the reason the Transform phase is one of the key elements of the framework. It gives you an opportunity to tease out the problems and determine what works and what doesn’t — in a controlled environment. Think of it as a road test on a closed track where your mistakes can be easily detected and aren’t likely to result in catastrophes.

Where to Begin?

In terms of GDPR privacy requirements, this is where you begin to implement and execute policies, processes and technologies, including those related to data subject access requests. And to meet GDPR security requirements, you should be starting to implement privacy-enhancing controls such as encryption, tokenization and dynamic masking.

You should also consider implementing required security controls, including access control, activity monitoring and alerting. In addition, you may need to mitigate any access risks and security vulnerabilities that you discover.

What Exactly Will You Be Transforming?

If you’ve already worked through the Assess and Design phases of the framework (which is likely at this point), you should have the answer. During those two phases, you would have identified your targets, decided your metrics, focused your team and agreed on a plan — because it will take a united effort to move forward.

Now is the time to start rolling out your new processes and procedures for meeting the GDPR privacy requirements. Start with a few and see what works for your organization.

At the same time, you can start rolling out your security-enhancing controls. Test them with a pilot team and determine what’s useful. And keep in mind that these may be major changes for some parts of your organization, which makes it your job to see that the transition to new policies and procedures goes as smoothly as possible.

How to Succeed

Frustration can come easily when you’re making a lot of significant changes to the way things are done. And while there isn’t any single right way to navigate the Transform phase, consider what I view as best practices to help you avoid unnecessary conflict at this point. Here’s a list of the most important ones:

  • Pay attention to your stakeholders. They’re the ones in the best position to spot problems and propose workable solutions.
  • Start with a solid project plan. That can help you identify potential issues and pitfalls before they impact the entire process.
  • Station a good team on the ground. They should be able to both see the big picture and know when to zoom in on the details.
  • Insist on active participants. You need a team of doers who are ready and eager to both do the work and communicate constantly.
  • Cultivate executive leadership support. It’s good to have the C-suite on your side when you to need to make some tough decisions.
  • Set expectations. You know this is going to be a slow process and that things may go wrong; make sure everyone else knows it, too.
  • Communicate your vision early on. Be clear about what you want to see happen and about how you’ll define success.

So, yes, GDPR requires making a lot of changes. And, as you’ve likely figured out, some of those changes can be pretty complicated. But as we’ve been saying for some time now, with a clear understanding of what you need to do and a plan for doing it, you can resolve to make those changes happen.

Learn more about how IBM can help you navigate your journey to GDPR readiness with privacy and security solutions here and within a broader perspective at ibm.com/gdpr.

ASSESS THE PROGRESS OF YOUR GDPR JOURNEY WITH YOUR PERSONALIZED GUIDE TO GDPR READINESS

Notice: Clients are responsible for ensuring their own compliance with various laws and regulations, including GDPR. IBM does not provide legal advice and does not represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation. Learn more about IBM’s own GDPR readiness journey and our GDPR capabilities and offerings to support your compliance journey here.

 |  |  |  |  | 
Adam Nelson
Associate Partner, IBM Security Services

More from Data Protection
March 27, 2024

3 Strategies to overcome data security challenges in 2024

3 min read - There are over 17 billion internet-connected devices in the world — and experts expect that number will surge to almost 30 billion by 2030.This rapidly growing digital ecosystem makes it increasingly challenging to protect people’s privacy. Attackers only need to be right once to seize databases of personally identifiable information (PII), including payment card information, addresses, phone numbers and Social Security numbers.In addition to the ever-present cybersecurity threats, data security teams must consider the growing list of data compliance laws…

March 12, 2024

How data residency impacts security and compliance

3 min read - Every piece of your organization’s data is stored in a physical location. Even data stored in a cloud environment lives in a physical location on the virtual server. However, the data may not be in the location you expect, especially if your company uses multiple cloud providers. The data you are trying to protect may be stored literally across the world from where you sit right now or even in multiple locations at the same time. And if you don’t…

March 5, 2024

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature