November 6, 2017 By Adam Nelson 4 min read

An old friend once gave me some really valuable advice about reaching a goal. He said that you can’t get to where you’re going if you don’t know where you are. Over the years, I’ve found that to be true in a lot of situations. But I think it’s especially fitting in discussing GDPR readiness.

Know Where You Stand With GDPR Readiness

As Cindy Compert explained in our previous blog post, GDPR can be a very complicated regulation. That’s one of the reasons we developed the IBM Security GDPR framework. It’s a straightforward, privacy- and security-based approach to helping you achieve GDPR readiness. Just to refresh your memory, the framework comprises five phases that allow you to:

  • Assess your situation.
  • Design your approach.
  • Transform your practices.
  • Operate your program.
  • Conform with the necessary GDPR requirements.

So if you take my friend’s advice — and your goal is to achieve GDPR readiness — you need to start by figuring out where you are. And that brings us to Phase 1 in our framework, where you assess your situation. This is a good time to begin identifying and mapping how all your GDPR-related data is collected and used, where it’s stored and who can access it.

View IBM Security’s interactive guide to GDPR readiness

Cindy also explained in our last blog post that each of the framework’s five phases addresses both privacy and security issues. Here are the privacy requirements for the Assess phase:

  • Review existing privacy policies and statements and document how they compare with GDPR requirements.
  • Assess data subject rights to consent, use, access, correct, delete and transfer personal data.
  • Discover and classify personal data assets and affected systems.
  • Identify potential access risks.

And here are the security requirements:

  • Assess the current state of your security policies, identifying gaps, benchmarking maturity and establishing conformance road maps.
  • Identify potential vulnerabilities, supporting security and privacy by design.
  • Discover and classify personal data assets and affected systems in preparation for designing security controls.

Assessing Your Maturity Level

Once you have a clearer view of the potential privacy and security challenges you face, you can determine your organization’s maturity level for each of the required measures and see which issues you need to address in order to move forward. But how do you get there? A good place to start is with the GDPR readiness assessment from IBM. It can help you assess how your organization’s personal information is being collected and used, identify where it resides and track how it’s transferred — both internally and externally. More importantly, it can provide you with actionable feedback, and can assign one of the following five levels of GDPR maturity for each requirement, helping to determine whether:

  • You’ve yet to begin to address a specific requirement (Level 1).
  • You’ve taken minimal measures to address a requirement (Level 2).
  • You’ve identified necessary processes (Level 3).
  • You’re consistently measuring and controlling those processes (Level 4).
  • You’re continuously evaluating and improving those processes (Level 5).

So what can you do to increase your maturity levels? Let’s say all you know right now is that your organization is sharing GDPR-protected data with vendors — which means you have limited visibility into where that data will end up and how it will be handled once you’ve shared it. But by strengthening your vendor management processes — with data tracking, for instance — you’re moving in the right direction.

You can also formalize the team that’s responsible for these shares. Maybe call it the Risk-Compliance Group or the Third-party Audit Team. Then ask the team to develop a methodology for performing audits and to assemble and develop metrics to help understand the effectiveness of these audits for reporting purposes. For GDPR, that team can also help build the required technical and organizational measures (TOMs) for controllers to track processors (which is mandated by GDPR Chapter IV). These are just a few examples of how your organization can track and build your GDPR activities and maturity.

Navigating Your GDPR Journey

The better you understand where you are in your GDPR journey, the easier it will be for you to identify what you need to do next in order to reach your destination. And that’s where IBM can help you move forward. As I already mentioned, the GDPR readiness assessment from IBM can help you assess how personal information is collected and used, identify where it resides and track how it’s transferred both internally and externally.

In addition, IBM Security Guardium GDPR Accelerator can help you identify and address vulnerabilities, discover and classify GDPR-related personal data, and identify data access patterns and risks. And the Ten Essential Practices Assessment from IBM can help you assess your security capabilities and readiness, and develop a profile of your security governance and processes based on industry best practices.

I’m guessing that you’re probably thinking you’ve got a lot to learn about where you are in your GDPR journey. And if that’s the case, you’re probably right. But if you take the time and make the effort to fully understand where you are now, you’ll be improving your chances of ending up where you want to be.

Learn more about how IBM can help you navigate your journey to GDPR readiness with privacy and security solutions and within a broader perspective.

View IBM Security’s interactive guide to GDPR readiness

Notice: Clients are responsible for ensuring their own compliance with various laws and regulations, including GDPR. IBM does not provide legal advice and does not represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation. Learn more about IBM’s own GDPR readiness journey and our GDPR capabilities and offerings to support your compliance journey here.

More from Data Protection

Data security tools make data loss prevention more efficient

3 min read - As businesses navigate the complexities of modern-day cybersecurity initiatives, data loss prevention (DLP) software is the frontline defense against potential data breaches and exfiltration. DLP solutions allow organizations to detect, react to and prevent data leakage or misuse of sensitive information that can lead to catastrophic consequences. However, while DLP solutions play a critical role in cybersecurity, their effectiveness significantly improves when integrated with the right tools and infrastructure. Key limitations of DLP solutions (and how to overcome them) DLP…

Defense in depth: Layering your security coverage

2 min read - The more valuable a possession, the more steps you take to protect it. A home, for example, is protected by the lock systems on doors and windows, but the valuable or sensitive items that a criminal might steal are stored with even more security — in a locked filing cabinet or a safe. This provides layers of protection for the things you really don’t want a thief to get their hands on. You tailor each item’s protection accordingly, depending on…

What is data security posture management?

3 min read - Do you know where all your organization’s data resides across your hybrid cloud environment? Is it appropriately protected? How sure are you? 30%? 50%? It may not be enough. The Cost of a Data Breach Report 2023 revealed that 82% of breaches involved data in the cloud, and 39% of breached data was stored across multiple types of environments. If you have any doubt, your enterprise should consider acquiring a data security posture management (DSPM) solution. With the global average…

Cost of a data breach: The evolving role of law enforcement

4 min read - If someone broke into your company’s office to steal your valuable assets, your first step would be to contact law enforcement. But would your reaction be the same if someone broke into your company’s network and accessed your most valuable assets through a data breach? A decade ago, when smartphones were still relatively new and most people were still coming to understand the value of data both corporate-wide and personally, there was little incentive to report cyber crime. It was…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today